CVE-2023-33949: Insecure Default Initialization In Liferay Portal

May 24, 2023

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don’t control. The portal property company.security.strangers.verify should be set to true.

References

github.com/advisories/GHSA-g9mr-9xfc-4gf7
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949
nvd.nist.gov/vuln/detail/CVE-2023-33949

Code Behaviors & Features

Detect and mitigate CVE-2023-33949 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →