CVE-2023-33949 — Initialization of a Resource with an Insecure Default in DXP

CWE-1188 — Initialization of a Resource with an Insecure Default4 documents4 sources

Severity

7.5HIGHNVD

CNA5.3

EPSS

0.2%

top 53.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay DXP Liferay Portal Liferay Digital Experience Platform +1 more

Timeline

PublishedMay 24

Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5liferay/portal7.3.0

▶NVDliferay/liferay_portal7.0.0 — 7.0.6+3

▶CVEListV5liferay/dxp< 7.3.10

▶NVDliferay/digital_experience_platform7.0 — 7.2

🔴Vulnerability Details

CVEList

CVE-2023-33949: In Liferay Portal 7↗2023-05-24

▶

OSV

Insecure Default Initialization In Liferay Portal↗2023-05-24

▶

GHSA

Insecure Default Initialization In Liferay Portal↗2023-05-24

▶