CVE-2023-33949 MEDIUM

CVE-2023-33949

Vendor Liferay
Product Portal
Weakness CWE-1188
Published May 24, 2023
Last update October 22, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Key dates

02Disclosure timeline

May 24, 2023 CVE published
October 22, 2024 Record updated