Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

Related Vulnerabilities

CVE-2017-12174 Vulnerability in maven package org.apache.activemq:artemis-core-client

CVE-2018-1999030 Vulnerability in maven package org.jenkins-ci.plugins:maven-artifact-choicelistprovider

CVE-2023-46651 Vulnerability in maven package io.jenkins.plugins:warnings-ng

CVE-2022-31160 Vulnerability in maven package org.fujion.webjars:jquery-ui

CVE-2011-0013 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

Severity

High

Classification

CWE-1188 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory