Issue
- It is possible to determine if an email address is valid or not (i.e., user enumeration) by comparing the request's response time. This can be done by checking the browser's network tab and comparing the response time when valid parameters are passed to when they are not.
Environment
- DXP 7.4
Resolution
- The issue was addressed by LPS-153080 and was added to DXP 7.4 U28, so upgrading to this version or the latest one should resolve this.
- If needed, a hotfix can be requested from Liferay Support to address this to versions prior to U28.
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In