CVE-2023-33949

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property company.security.strangers.verify should be set to true.

Published: May 24, 2023
Updated: May 10, 2024
CVE: CVE-2023-33949
GHSA: GHSA-g9mr-9xfc-4gf7
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-1188

Affected Software
References

Software	From	Fixed in
com.liferay.portal / release.portal.bom	7.0.0	7.3.1
liferay / digital_experience_platform	7.2	7.2.x
liferay / digital_experience_platform	7.1	7.1.x
liferay / digital_experience_platform	7.0	7.0.x
liferay / liferay_portal	7.0.0	7.3.0.x

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

Vulnerability Database

289,697

CVE-2023-33949