Description
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
Remediation
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949
Related Vulnerabilities
CVE-2019-3802 Vulnerability in maven package org.springframework.data:spring-data-jpa
CVE-2014-1403 Vulnerability in npm package easyxdm
CVE-2018-1307 Vulnerability in maven package org.apache.juddi:juddi-client
CVE-2021-22097 Vulnerability in maven package org.springframework.amqp:spring-amqp
CVE-2020-13925 Vulnerability in maven package org.apache.kylin:kylin-server