2 matches found
com.liferay:com.liferay.my.account.web (>=1.0.0 <=1.0.12), com.liferay:com.liferay.portal.settings.web (>=1.0.0 <=1.2.4) potentially affected by CVE-2021-29038 via com.liferay:com.liferay.users.admin.web (>=1.0.0 <=2.3.0)
com.liferay:com.liferay.users.admin.web MAVEN version =1.0.0, =1.0.0, =1.0.0, =1.2.4 Source cves: CVE-2021-29038 Source advisory: OSV:GHSA-MWHF-6MJM-6W3H...
CVE-2021-29038
CVE-2021-29038 affects Liferay Portal 7.2.0–7.3.5 and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, and 7.2 before fix pack 17. The issue: password reminder answers are not obfuscated on the page, enabling attackers to perform MITM or shoulder-surfing attacks to steal those a...