Vulnerabilities > CVE-2023-33949 - Insecure Default Initialization of Resource vulnerability in Liferay Digital Experience Platform and Liferay Portal

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

liferay

CWE-1188

NVD

Published: 2023-05-24

Updated: 2023-05-31

Summary

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Vulnerable Configurations

Part	Description	Count
Application	Liferay Liferay Digital Experience Platform 7.2 Liferay Digital Experience Platform 7.1 Liferay Digital Experience Platform 7.0 Liferay Liferay Portal 7.0.0 Liferay Liferay Portal 7.0.1 Liferay Liferay Portal 7.0.2 Liferay Liferay Portal 7.0.3 Liferay Liferay Portal 7.0.3_Ga4 Liferay Liferay Portal 7.0.4 Liferay Liferay Portal 7.0.5 Liferay Liferay Portal 7.0.6 Liferay Liferay Portal 7.1 Liferay Liferay Portal 7.1.0 Liferay Liferay Portal 7.1.1 Liferay Liferay Portal 7.1.2 Liferay Liferay Portal 7.1.3 Liferay Liferay Portal 7.2 Liferay Liferay Portal 7.2.0 Liferay Liferay Portal 7.2.1 Liferay Liferay Portal 7.3 Liferay Liferay Portal 7.3.0	113

Common Weakness Enumeration (CWE)

CWE-1188 - Insecure Default Initialization of Resource

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949