CVE-2021-29041
Description
Authenticated users can cause denial-of-service by manipulating TOTP settings for other users in Liferay DXP 7.3 before fix pack 1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can cause denial-of-service by manipulating TOTP settings for other users in Liferay DXP 7.3 before fix pack 1.
Vulnerability
The vulnerability resides in the Multi-Factor Authentication module of Liferay DXP 7.3 prior to fix pack 1. A remote authenticated attacker can enable Time-based One-time Password (TOTP) on behalf of another user or modify that user's TOTP shared secret, thereby preventing the targeted user from authenticating. [1]
Exploitation
An attacker must have authenticated access to the Liferay DXP instance. Through the Multi-Factor Authentication module, they can either enable TOTP for another user or alter the existing TOTP shared secret of that user. No additional privileges or user interaction are required. [1]
Impact
Successful exploitation results in a denial-of-service condition: the targeted user is unable to authenticate because their TOTP configuration has been changed or enabled without their consent. This can affect any user, including administrators, potentially leading to a complete lockout of legitimate users. [1]
Mitigation
Liferay released a fix in fix pack 1 for Liferay DXP 7.3. Users should upgrade to the fixed version. No workarounds are documented in the available references. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.dxp.bomMaven | < 7.3.10.fp1 | 7.3.10.fp1 |
Affected products
2- Liferay/Liferay DXPdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-82j7-2h3j-hc7fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29041ghsaADVISORY
- liferay.comghsax_refsource_MISCWEB
- issues.liferay.com/browse/LPE-17131ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.