1. Home
  2. Vulnerabilities
  3. CVE-2023-33949

CVE-2023-33949

CVSS v3.1 7.5 (High)
75% Progress
EPSS 0.08 % (37th)
0.08% Progress
Affected Products 2
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property company.security.strangers.verify should be set to true.

Weaknesses
CWE-1188
Initialization of a Resource with an Insecure Default
CVE Status
PUBLISHED
CNA
Liferay Inc.
Published Date
2023-05-24 17:15:09
(16 months ago)
Updated Date
2023-05-31 20:16:46
(15 months ago)

Affected Products

Liferay

Configuration #1

    CPE23 From Up To
  Liferay Digital Experience Platform 7.0 cpe:2.3:a:liferay:digital_experience_platform:7.0:-
  Liferay Digital Experience Platform 7.1 cpe:2.3:a:liferay:digital_experience_platform:7.1:-
  Liferay Digital Experience Platform 7.2 cpe:2.3:a:liferay:digital_experience_platform:7.2:-
  Liferay Portal from 7.0.0 version and 7.3.0 and prior versions cpe:2.3:a:liferay:liferay_portal >= 7.0.0 <= 7.3.0