CVE-2023-33949 Vulnerability Details

  /     /     /  

CVE-2023-33949 Metadata Quick Info

CVE Published: 24/05/2023 | CVE Updated: 22/10/2024 | CVE Year: 2023
Source: Liferay | Vendor: Liferay | Product: Portal
Status : PUBLISHED

---

CVE-2023-33949 Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don\'t control. The portal property `company.security.strangers.verify` should be set to true.

Metrics

CVSS Version: 3.1 | Base Score: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* NONE
    Integrity Impact (I)* LOW
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-1188
CWE Name: CWE-1188 Insecure Default Initialization of Resource
Source: Liferay

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).