Password Reminder Answer Exposure in Liferay Portal and DXP Products

CVE-2021-29038

What is CVE-2021-29038?

The vulnerability arises from the failure of Liferay Portal and Liferay DXP to obfuscate answers provided for password reminders. This leaves the sensitive information exposed on the page, making it susceptible to interception by attackers using techniques such as man-in-the-middle or shoulder surfing. When users enter their password reminder answers, these responses can be viewed by unauthorized individuals, leading to potential account compromise. Organizations utilizing affected versions should prioritize updates and implement additional security measures to safeguard user credentials.

References