In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
References
Link | Resource |
---|---|
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
31 May 2023, 20:16
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CPE | cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:* |
|
References | (MISC) https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 - Vendor Advisory | |
CWE | CWE-1188 |
24 May 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-05-24 17:15
Updated : 2024-02-04 23:37
NVD link : CVE-2023-33949
Mitre link : CVE-2023-33949
CVE.ORG link : CVE-2023-33949
JSON object : View
Products Affected
liferay
- digital_experience_platform
- liferay_portal
CWE
CWE-1188
Insecure Default Initialization of Resource