Description
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
Remediation
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949
Related Vulnerabilities
CVE-2022-34180 Vulnerability in maven package org.jenkins-ci.plugins:embeddable-build-status
CVE-2020-11971 Vulnerability in maven package org.apache.camel:camel-management
CVE-2011-2731 Vulnerability in maven package org.springframework.security:spring-security-core
CVE-2017-4973 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-server
CVE-2017-2602 Vulnerability in maven package org.jenkins-ci.main:jenkins-core