Primary

Context

Liferay Portal and Liferay DXP Password Reminder Answer Exposure Vulnerability

Vulnerability

Patched

A vulnerability exists in Liferay Portal versions 7.4.0 to 7.4.3.112, older unsupported versions, and Liferay DXP versions 2023.Q4.0 to 2023.Q4.8, 2023.Q3.1 to 2023.Q3.10, and 7.4 GA through update 92. The issue arises because audit event records include a user's password reminder answer. This flaw enables remote authenticated users to retrieve another user's password reminder answer through the audit events.

Impact

Exploitation of this vulnerability allows remote authenticated users to access other users' password reminder answers, potentially leading to unauthorized account access.

Remediation

Users can upgrade to Liferay Portal 7.4.3.113, Liferay DXP 2024.Q2.0, Liferay DXP 2024.Q1.1, or Liferay DXP 2023.Q4.9 to address this vulnerability.

Added: Sep 23, 2025, 12:42 AM

Updated: Sep 23, 2025, 12:42 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and Liferay DXP Password Reminder Answer Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating