CVE-2023-33949

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

I

n Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949	Vendor Advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:liferay_portal::::::::
	cpe:2.3:a:liferay:liferay_portal::::::::
	cpe:2.3:a:liferay:liferay_portal::::::::
	cpe:2.3:a:liferay:liferay_portal:7.3.0:::::::*

History

09 Jan 2026, 02:15

Type	Values Removed	Values Added
CPE	cpe:2.3:a:liferay:digital_experience_platform:7.1:-:::::: cpe:2.3:a:liferay:digital_experience_platform:7.0:-:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:-::::::	cpe:2.3:a:liferay:digital_experience_platform:::::::: cpe:2.3:a:liferay:liferay_portal:7.3.0:::::::*

21 Nov 2024, 08:06

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 5.3
References	~~() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 - Vendor Advisory~~	() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949 - Vendor Advisory

Information

Published : 2023-05-24 17:15

Updated : 2026-01-09 02:15

NVD link : CVE-2023-33949

Mitre link : CVE-2023-33949

CVE.ORG link : CVE-2023-33949

JSON object : View

Products Affected

CWE

CWE-1188

Initialization of a Resource with an Insecure Default

{"id": "CVE-2023-33949", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-05-24T17:15:09.933", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1188"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1188"}]}], "descriptions": [{"lang": "en", "value": "In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true."}], "lastModified": "2026-01-09T02:15:15.867", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87C1F737-CC9C-4F58-90FF-1820273764BE", "versionEndIncluding": "7.2", "versionStartIncluding": "7.0"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4E17D2C-F563-46F7-8441-37386D9AF4AF", "versionEndIncluding": "7.0.6", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59033BD5-FE75-479B-81F5-C93B54AA894C", "versionEndIncluding": "7.1.3", "versionStartIncluding": "7.1.0"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7CAF8FC-6334-48FD-A3E0-83EE307A5210", "versionEndIncluding": "7.2.1", "versionStartIncluding": "7.2.0"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:7.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91AE0729-1E78-4097-A400-694FDDE41F49"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}