CVE-2023-33949: CVE-2023-33949 Users do not have to verify their email address by default - Liferay

This website uses cookies to ensure you get the best experience. Learn More.

Accept

• Ask
• Blogs
• Download
• Feedback
• Help
• Learn
• Projects
• /dev/24
• Log In

Known Vulnerabilities

• Overview
• Reporting Security Issues
• Known Vulnerabilities
• Hall of Fame

Releases

• Liferay Portal 7.4

• Liferay Portal 7.3

• Liferay Portal 7.2

• Liferay Portal 7.1

• Liferay Portal 7.0

• Liferay Portal 6.2 CE

• Liferay Faces

• Liferay DXP 7.4

• Liferay DXP 7.3

• Liferay DXP 7.2

• LIferay DXP 7.1

• LIferay DXP 7.0

CVE-2023-33949 Users do not have to verify their email address by default

Description

In Liferay Portal and Liferay DXP the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don’t control. The portal property `company.security.strangers.verify` should be set to true.

Severity

5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Version(s)

• Liferay DXP 7.0
• Liferay DXP 7.1
• Liferay DXP 7.2
• Liferay Portal 7.0.0 - 7.0.6
• Liferay Portal 7.1.0 - 7.1.3
• Liferay Portal 7.2.0 - 7.2.1
• Liferay Portal 7.3.0

Fixed Version(s)

• Liferay DXP 7.3 GA1
• Liferay Portal 7.3.1

Publication date: Wed, 24 May 2023 07:00:00 +0000

Security advisories for Liferay’s enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.