CVE-2023-33949
Insecure Default Initialization In Liferay Portal
5.3
MEDIUM
CVSS 3.1
EPSS 0.34%
Description
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
How to fix CVE-2023-33949
To remediate CVE-2023-33949, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 7.3.1 or later
Is CVE-2023-33949 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 7.0.0, <= 7.0.0, >= 7.1.0, <= 7.1.0, >= 7.2.0, <= 7.2.0
- >= 7.0.0, < 7.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |