CVE-2023-33949

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949	Vendor Advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:liferay:digital_experience_platform:7.0:-::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.1:-::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:-::::::
	cpe:2.3:a:liferay:liferay_portal::::::::

History

21 Nov 2024, 08:06

Type	Values Removed	Values Added
References	~~() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 - Vendor Advisory~~	() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 5.3

Information

Published : 2023-05-24 17:15

Updated : 2024-11-21 08:06

NVD link : CVE-2023-33949

Mitre link : CVE-2023-33949

CVE.ORG link : CVE-2023-33949

JSON object : View

Products Affected

liferay

liferay_portal
digital_experience_platform

CWE

CWE-1188

Initialization of a Resource with an Insecure Default

{"id": "CVE-2023-33949", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@liferay.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-05-24T17:15:09.933", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949", "tags": ["Vendor Advisory"], "source": "security@liferay.com"}, {"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@liferay.com", "description": [{"lang": "en", "value": "CWE-1188"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1188"}]}], "descriptions": [{"lang": "en", "value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true."}], "lastModified": "2024-11-21T08:06:16.403", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4614C87F-F39C-4ADD-A7A2-4A498612AD38"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39BA38ED-FF39-4795-9313-F920D16DD629", "versionEndIncluding": "7.3.0", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@liferay.com"}