Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

Related Vulnerabilities

CVE-2017-15703 Vulnerability in maven package org.apache.nifi:nifi-file-authorizer

CVE-2014-3680 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-49093 Vulnerability in maven package org.htmlunit:htmlunit

CVE-2022-45388 Vulnerability in maven package net.praqma:config-rotator

CVE-2020-10718 Vulnerability in maven package org.wildfly.core:wildfly-embedded

Severity

High

Classification

CWE-1188 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory