CVE-2023-33949

Summary

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property company.security.strangers.verify should be set to true.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal0 <= 7.3.0affected
LiferayDXP0 < 7.3.10affected

Weaknesses

  • CWE-1188: CWE-1188 Insecure Default Initialization of Resource

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References