Description
In Liferay Portal and Liferay DXP the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
Severity
5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Version(s)
- Liferay DXP 7.0
- Liferay DXP 7.1
- Liferay DXP 7.2
- Liferay Portal 7.0.0 - 7.0.6
- Liferay Portal 7.1.0 - 7.1.3
- Liferay Portal 7.2.0 - 7.2.1
- Liferay Portal 7.3.0
Fixed Version(s)
- Liferay DXP 7.3 GA1
- Liferay Portal 7.3.1
Publication date: Wed, 24 May 2023 07:00:00 +0000