How severe is CVE-2023-33949?

CVE-2023-33949 has a CVSS v3 score of 5.3 (MEDIUM).

CVE-2023-33949

Name: liferay_portal
Author: liferay

5.3MEDIUM

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts us

Published: 5/24/2023Updated: 1/9/2026

Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

AI AnalysisPowered by AI

Affected Products

liferaydigital_experience_platform

liferayliferay_portal

7.3.0

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949
Vendor Advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949
Vendor Advisory