Vulnerability Details CVE-2023-33949
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 39.7%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2023-33949
-
cpe:2.3:a:liferay:digital_experience_platform:7.0
-
cpe:2.3:a:liferay:digital_experience_platform:7.1
-
cpe:2.3:a:liferay:digital_experience_platform:7.2
-
cpe:2.3:a:liferay:liferay_portal:7.0.0
-
cpe:2.3:a:liferay:liferay_portal:7.0.1
-
cpe:2.3:a:liferay:liferay_portal:7.0.2
-
cpe:2.3:a:liferay:liferay_portal:7.0.3
-
cpe:2.3:a:liferay:liferay_portal:7.0.3_ga4
-
cpe:2.3:a:liferay:liferay_portal:7.0.4
-
cpe:2.3:a:liferay:liferay_portal:7.0.5
-
cpe:2.3:a:liferay:liferay_portal:7.0.6
-
cpe:2.3:a:liferay:liferay_portal:7.1
-
cpe:2.3:a:liferay:liferay_portal:7.1.0
-
cpe:2.3:a:liferay:liferay_portal:7.1.1
-
cpe:2.3:a:liferay:liferay_portal:7.1.2
-
cpe:2.3:a:liferay:liferay_portal:7.1.3
-
cpe:2.3:a:liferay:liferay_portal:7.2
-
cpe:2.3:a:liferay:liferay_portal:7.2.0
-
cpe:2.3:a:liferay:liferay_portal:7.2.1
-
cpe:2.3:a:liferay:liferay_portal:7.3
-
cpe:2.3:a:liferay:liferay_portal:7.3.0