CVE-2023-33949 Users do not have to verify their email address by default

Description

In Liferay Portal and Liferay DXP the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Severity

5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Version(s)

  • Liferay DXP 7.0
  • Liferay DXP 7.1
  • Liferay DXP 7.2
  • Liferay Portal 7.0.0 - 7.0.6
  • Liferay Portal 7.1.0 - 7.1.3
  • Liferay Portal 7.2.0 - 7.2.1
  • Liferay Portal 7.3.0

Fixed Version(s)

Publication date: Wed, 24 May 2023 07:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.