CVE-2023-33949

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*

History

31 May 2023, 20:16

Type Values Removed Values Added
CWE CWE-1188
First Time Liferay
Liferay liferay Portal
Liferay digital Experience Platform
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*
References (MISC) https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 - (MISC) https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 - Vendor Advisory

Information

Published : 2023-05-24 17:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-33949

Mitre link : CVE-2023-33949

CVE.ORG link : CVE-2023-33949


JSON object : View

Products Affected

liferay

  • liferay_portal
  • digital_experience_platform
CWE
CWE-1188

Insecure Default Initialization of Resource