Insecure default configuration may allow remote attackers to enumerate users' email addresses via the forgot password functionality. This can be a risk in the case of public-facing deployments.
- Liferay DXP 6.2 EE
- Liferay DXP 7.0-7.2
It is recommended to set the portal property
true in your
On the specified product versions, this property defaults to "false":
# Set this to true to prevent attempts to enumerate the portal's users via # the forgot password feature. This feature will no longer show an error # that would reveal a user's existence. login.secure.forgot.password=false
To avoid causing unwanted behavior change in existing deployments, Liferay will not change this default setting in a Fix Pack/Service Pack.
In Liferay DXP 7.3 this property defaults to "true".