CVE-2023-33949 : In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Published 2023-05-24 17:15:10

Updated 2023-05-31 20:16:47

Source Liferay Inc.

View at NVD, CVE.org

Products affected by CVE-2023-33949

Liferay » Liferay Portal
Versions from including (>=) 7.0.0 and up to, including, (<=) 7.3.0
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.1
cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.2
cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*
Matching versions
Liferay » Digital Experience Platform » Version: 7.0
cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2023-33949

Top countries where our scanners detected CVE-2023-33949

Top open port discovered on systems with this issue 443

IPs affected by CVE-2023-33949 171

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2023-33949!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2023-33949

EPSS FAQ

0.18%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 40 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-33949

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	Liferay Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2023-33949

CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.
Assigned by:
- nvd@nist.gov (Primary)
- security@liferay.com (Secondary)

References for CVE-2023-33949

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

CVE-2023-33949 Users do not have to verify their email address by default - Liferay
Vendor Advisory