Liferay DXP Insufficient Session Expiration Vulnerability - CVE-2021-33322
In Liferay Portal 7.3.0 and earlier and Liferay DXP 7.0 before fix pack 96 7.1 before fix pack 18 and 7.2 before fix pack 5 password reset tokens are not invalidated after a user changes their password which allows remote attackers to change the users password via the old password reset token.