In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
References
Link | Resource |
---|---|
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Liferay
Published: 2023-05-24T16:01:55.501Z
Updated: 2023-05-24T16:01:55.501Z
Reserved: 2023-05-24T02:36:00.165Z
Link: CVE-2023-33949
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-05-24T17:15:09.933
Modified: 2023-05-31T20:16:46.520
Link: CVE-2023-33949
JSON object: View
Redhat Information
No data.
CWE