Description
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
Remediation
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949
Related Vulnerabilities
CVE-2022-43426 Vulnerability in maven package io.jenkins.plugins:s3explorer
CVE-2020-10714 Vulnerability in maven package org.wildfly.security:wildfly-elytron
CVE-2023-25499 Vulnerability in maven package com.vaadin:flow-server
CVE-2017-1000354 Vulnerability in maven package org.jenkins-ci.main:jenkins-core