CVE-2021-29038 uncovers a hidden threat in Liferay Portal versions 7.2. through 7.3.5, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, as well as older unsupported releases. The issue? User password reminder answers (those security answers you use to recover your account) are displayed as plain text on the web page. This means anyone looking over your shoulder or snooping on network traffic has a chance to steal your answers and hijack your account.
Why Is This Issue Serious?
Password reminder questions are a common way to reset passwords. If an attacker learns your answer (“What was your first pet’s name?”), they can bypass normal authentication and take over your account. Since sensitive information is shown clearly on the page, shoulder surfing (someone watching your screen) and man-in-the-middle attacks (someone spying on your network) become dead simple.
Bad news: Even if you choose a strong password, your account is vulnerable if the “secret answer” is exposed.
Liferay DXP: 7.3 before fix pack 1, 7.2 before fix pack 17 (and older unsupported versions)
If you use these platforms unpatched—or haven’t updated for a while—your users are at risk.
Technical Details: How the Leak Happens
When users set up or reset password reminder questions, the answer field is rendered using a simple <input type="text"> instead of <input type="password">. This means the answer appears in plain sight as you type.
A typical vulnerable field in the form could look like this
<!-- Vulnerable form: answer shown as plain text -->
<label for="reminderAnswer">Answer:</label>
<input id="reminderAnswer" name="reminderAnswer" type="text">
What should it be?
<!-- Safe form: answer hidden as dots or stars -->
<label for="reminderAnswer">Answer:</label>
<input id="reminderAnswer" name="reminderAnswer" type="password">
Bob visits his company’s Liferay Portal to reset his password.
2. On the reset page, he’s asked for the answer to his security question (“Mother’s maiden name”).
As he types, the answer appears in plain text.
4. Someone walking behind Bob, or looking over his shoulder, sees “Johnson” appear letter by letter.
Now they can reset Bob’s password anytime.
Worse, if Bob is on public Wi-Fi and the page isn’t under HTTPS, an attacker sniffing the network can capture the plain answer as well.
Attacker memorizes or snaps a photo of the screen.
5. Later, attacker goes to the same reset page, enters the victim’s username, and uses the observed answer to reset the account’s password.
Sample network packet (captured unencrypted)
POST /c/portal/update_reminder HTTP/1.1
Host: your-liferay-portal.com
Content-Type: application/x-www-form-urlencoded
reminderQueryQuestion=Your+first+car%3F&reminderAnswer=HondaCivic
Upgrade, immediately:
Apply the latest fix pack for Liferay DXP/Portal.
Review your forms:
Check your custom code or templates for any <input type="text"> fields used for passwords, PINs, or security answers. Change them to <input type="password">.
Liferay Security Advisory:
SECURITY-3903: Password reminder answer can be seen by someone watching the screen
Mitre CVE Entry:
Official Patch Notes:
Liferay DXP 7.3 Fix Pack Release Notes
Bottom Line
CVE-2021-29038 shows how a simple mistake—treating a password reminder answer field as an ordinary text box—creates real risk. Anyone with line of sight (or access to your network) can grab your secret answers and break into your account.
Don’t wait: Check your Liferay version, review your password reminder forms, and patch if needed. Protect your users—before someone shoulder-surfs their way into your system.
If you found this security deep-dive helpful, share it with your IT team and check your apps today!
Timeline
Published on: 02/20/2024 22:15:08 UTC
Last modified on: 11/15/2024 18:35:29 UTC