Lucene search

GitHub Advisory DatabaseGHSA-G9MR-9XFC-4GF7

HistoryMay 24, 2023 - 6:30 p.m.

Insecure Default Initialization In Liferay Portal

2023-05-2418:30:26

CWE-1188

GitHub Advisory Database

github.com

liferay portal

security configuration

remote attackers

fake email addresses

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

36.5%

JSON

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don’t control. The portal property company.security.strangers.verify should be set to true.

Affected configurations

Vulners

Node

com.liferay.portal\Matchrelease.portal.bom

CPENameOperatorVersion
com.liferay.portal:release.portal.bomlt7.3.1

CPE	Name	Operator	Version
	com.liferay.portal:release.portal.bom	lt	7.3.1

References

github.com/advisories/GHSA-g9mr-9xfc-4gf7

liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949

nvd.nist.gov/vuln/detail/CVE-2023-33949

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

36.5%

JSON

Related for GHSA-G9MR-9XFC-4GF7