Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.

Remediation

References

CVE-2021-33322

Related Vulnerabilities

WordPress Plugin Image Gallery-Responsive Photo Gallery Multiple Unspecified Vulnerabilities (1.9.58)

TYPO3 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2009-4855)

WordPress Plugin Elements kit Elementor addons (Header & Footer Builder, Mega Menu Builder, Layout Library) Multiple Cross-Site Scripting Vulnerabilities (2.1.7)

WordPress Plugin Font-official webfonts plugin of Fonts For Web Cross-Site Scripting (7.5.1)

WordPress Plugin Improved Sale Badges for WooCommerce Security Bypass (4.3.2)

Severity

High

Classification

CVE-2021-33322 CWE-613

Tags

Missing Update Known Vulnerabilities