CVE-2023-33949

MEDIUM

Liferay Portal <7.3.0 & Liferay DXP <7.2 - Info Disclosure

Title source: llm

Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

Scores

CVSS v3 5.3

EPSS 0.0023

EPSS Percentile 46.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1188

Status published

Products (4)

com.liferay.portal/release.portal.bom 7.0.0 - 7.3.1Maven

liferay/digital_experience_platform 7.0 - 7.2

liferay/liferay_portal 7.3.0

liferay/liferay_portal 7.0.0 - 7.0.6

Published May 24, 2023

Tracked Since Feb 18, 2026