PT-2023-24591 · Liferay · Liferay Dxp+1

Published

2023-05-24

Updated

2026-01-09

CVE-2023-33949

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.0 and earlier Liferay DXP versions 7.2 and earlier

Description The default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses they don't control. The issue can be addressed by setting the portal property company.security.strangers.verify to true.

Recommendations For Liferay Portal versions 7.3.0 and earlier, set the portal property company.security.strangers.verify to true. For Liferay DXP versions 7.2 and earlier, set the portal property company.security.strangers.verify to true.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1188

Related Identifiers

BIT-LIFERAY-2023-33949

CVE-2023-33949

GHSA-G9MR-9XFC-4GF7

Affected Products

Liferay Dxp

Liferay Portal

PT-2023-24591 · Liferay · Liferay Dxp+1

CVE-2023-33949

Weakness Enumeration

Related Identifiers

Affected Products

References · 9