Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

Related Vulnerabilities

CVE-2020-15138 Vulnerability in npm package prismjs

CVE-2023-0481 Vulnerability in maven package io.quarkus.resteasy.reactive:resteasy-reactive-common

CVE-2022-27260 Vulnerability in npm package buttercms

CVE-2015-1807 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-23106 Vulnerability in maven package io.jenkins:configuration-as-code

Severity

High

Classification

CWE-1188 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory