Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

Related Vulnerabilities

CVE-2022-36904 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector

CVE-2021-21625 Vulnerability in maven package org.jenkins-ci.plugins:aws-credentials

CVE-2023-46731 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

CVE-2022-45384 Vulnerability in maven package org.jenkins-ci.plugins:reverse-proxy-auth-plugin

CVE-2021-44145 Vulnerability in maven package org.apache.nifi:nifi

Severity

High

Classification

CWE-1188 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory