In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
References
Link | Resource |
---|---|
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
31 May 2023, 20:16
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-1188 | |
First Time |
Liferay
Liferay liferay Portal Liferay digital Experience Platform |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CPE | cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:* cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:* |
|
References | (MISC) https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 - Vendor Advisory |
Information
Published : 2023-05-24 17:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-33949
Mitre link : CVE-2023-33949
CVE.ORG link : CVE-2023-33949
JSON object : View
Products Affected
liferay
- liferay_portal
- digital_experience_platform
CWE
CWE-1188
Insecure Default Initialization of Resource