User enumeration attack via response time


  • It is possible to determine if an email address is valid or not (i.e., user enumeration) by comparing the request's response time. This can be done by checking the browser's network tab and comparing the response time when valid parameters are passed to when they are not.


  • DXP 7.4


  • The issue was addressed by LPS-153080 and was added to DXP 7.4 U28, so upgrading to this version or the latest one should resolve this.
  • If needed, a hotfix can be requested from Liferay Support to address this to versions prior to U28.



Was this article helpful?
0 out of 0 found this helpful