Description
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17042
Scores
CVSS v3
4.9
EPSS
0.0012
EPSS Percentile
30.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-312
Status
published
Products (3)
com.liferay.portal/release.dxp.bom
0 - 7.0.10.fp93Maven
com.liferay.portal/release.portal.bom
7.3.0Maven
liferay/digital_experience_platform
7.0 (48 CPE variants)
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026