Mon, 12 Nov 2018 09:39:00 +0000
CST-7108 User can change password without entering current password
In Liferay Portal 7.1 CE GA1, users are normally required to enter their current password if they want to change their password. However, the requirement to enter the current password can be circumvented making users vulnerable to account hijacking.
There is no patch available for Liferay Portal 7.1 CE GA1. Instead, users should upgrade to Liferay Portal 7.1 CE GA2 (7.1.1) or later to fix this issue.