CVE-2023-33949

EPSS 0.18%
Veröffentlicht 24.05.2023 17:15:09
Zuletzt bearbeitet 21.11.2024 08:06:16
Quelle security@liferay.com
Teams Watchlist Login
Unerledigt Login

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Liferay ≫ Digital Experience Platform Version7.0 Update-

Liferay ≫ Digital Experience Platform Version7.1 Update-

Liferay ≫ Digital Experience Platform Version7.2 Update-

Liferay ≫ Liferay Portal Version >= 7.0.0 <= 7.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.397

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security@liferay.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-33949

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-33949

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-33949

EUVD