CVE-2023-33949 - Vulnerability Details - OpenCVE

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Liferay	Digital Experience Platform Liferay Portal

Configuration 1 [-]

OR	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:liferay_portal::::::::
	cpe:2.3:a:liferay:liferay_portal::::::::
	cpe:2.3:a:liferay:liferay_portal::::::::
	cpe:2.3:a:liferay:liferay_portal:7.3.0:::::::*

No data.

References

Link	Providers
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

History

Fri, 09 Jan 2026 02:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:liferay:digital_experience_platform:7.0:-:::::: cpe:2.3:a:liferay:digital_experience_platform:7.1:-:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:-::::::	cpe:2.3:a:liferay:digital_experience_platform:::::::: cpe:2.3:a:liferay:liferay_portal:7.3.0:::::::*

Tue, 22 Oct 2024 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Liferay

Published: 2023-05-24T16:01:55.501Z

Updated: 2024-10-22T15:51:31.464Z

Reserved: 2023-05-24T02:36:00.165Z

Link: CVE-2023-33949

Vulnrichment

Updated: 2024-08-02T15:54:14.057Z

NVD

Status : Analyzed

Published: 2023-05-24T17:15:09.933

Modified: 2026-01-09T02:15:15.867

Link: CVE-2023-33949

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-33949", "assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "state": "PUBLISHED", "assignerShortName": "Liferay", "dateReserved": "2023-05-24T02:36:00.165Z", "datePublished": "2023-05-24T16:01:55.501Z", "dateUpdated": "2024-10-22T15:51:31.464Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Portal", "vendor": "Liferay", "versions": [{"lessThanOrEqual": "7.3.0", "status": "affected", "version": "0", "versionType": "maven"}]}, {"defaultStatus": "unaffected", "product": "DXP", "vendor": "Liferay", "versions": [{"lessThan": "7.3.10", "status": "affected", "version": "0", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true."}], "value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "shortName": "Liferay", "dateUpdated": "2023-05-24T16:01:55.501Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:54:14.057Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T15:48:38.903885Z", "id": "CVE-2023-33949", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T15:51:31.464Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:54:14.057Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-33949", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T15:48:38.903885Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T15:50:02.356Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Liferay", "product": "Portal", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "7.3.0"}], "defaultStatus": "unaffected"}, {"vendor": "Liferay", "product": "DXP", "versions": [{"status": "affected", "version": "0", "lessThan": "7.3.10", "versionType": "maven"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.", "supportingMedia": [{"type": "text/html", "value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource"}]}], "providerMetadata": {"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "shortName": "Liferay", "dateUpdated": "2023-05-24T16:01:55.501Z"}}}, "cveMetadata": {"cveId": "CVE-2023-33949", "state": "PUBLISHED", "dateUpdated": "2024-10-22T15:51:31.464Z", "dateReserved": "2023-05-24T02:36:00.165Z", "assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "datePublished": "2023-05-24T16:01:55.501Z", "assignerShortName": "Liferay"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "87C1F737-CC9C-4F58-90FF-1820273764BE", "versionEndIncluding": "7.2", "versionStartIncluding": "7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4E17D2C-F563-46F7-8441-37386D9AF4AF", "versionEndIncluding": "7.0.6", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "59033BD5-FE75-479B-81F5-C93B54AA894C", "versionEndIncluding": "7.1.3", "versionStartIncluding": "7.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7CAF8FC-6334-48FD-A3E0-83EE307A5210", "versionEndIncluding": "7.2.1", "versionStartIncluding": "7.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "91AE0729-1E78-4097-A400-694FDDE41F49", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true."}], "id": "CVE-2023-33949", "lastModified": "2026-01-09T02:15:15.867", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-05-24T17:15:09.933", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1188"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1188"}], "source": "[email protected]", "type": "Primary"}]}