In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Liferay
Published: 2023-05-24T16:01:55.501Z
Updated: 2024-08-02T15:54:14.057Z
Reserved: 2023-05-24T02:36:00.165Z
Link: CVE-2023-33949
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2023-05-24T17:15:09.933
Modified: 2023-05-31T20:16:46.520
Link: CVE-2023-33949
Redhat
No data.