Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nOW1yLTl4ZmMtNGdmN84AAzdc
Insecure Default Initialization In Liferay Portal
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property company.security.strangers.verify should be set to true.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nOW1yLTl4ZmMtNGdmN84AAzdc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 5 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-g9mr-9xfc-4gf7, CVE-2023-33949
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-33949
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949
- https://github.com/advisories/GHSA-g9mr-9xfc-4gf7
Affected Packages
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.3.1
Fixed in: 7.3.1
All affected versions: 7.0.6, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.3.0
All unaffected versions: 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.0, 7.4.1, 7.4.2