Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

Related Vulnerabilities

CVE-2022-43426 Vulnerability in maven package io.jenkins.plugins:s3explorer

CVE-2020-10714 Vulnerability in maven package org.wildfly.security:wildfly-elytron

CVE-2023-25499 Vulnerability in maven package com.vaadin:flow-server

CVE-2017-1000354 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2010-2276 Vulnerability in npm package dojo

Severity

High

Classification

CWE-1188 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory