Vulnerabilities > CVE-2021-33322 - Insufficient Session Expiration vulnerability in Liferay DXP 7.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
liferay
CWE-613

Summary

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.

Vulnerable Configurations

Part Description Count
Application
Liferay
328

Common Weakness Enumeration (CWE)