Overview
- Description
- In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.
- Source
- security@liferay.com
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Severity
- HIGH
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4614C87F-F39C-4ADD-A7A2-4A498612AD38"
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F"
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96"
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "39BA38ED-FF39-4795-9313-F920D16DD629",
"versionEndIncluding": "7.3.0",
"versionStartIncluding": "7.0.0"
}
],
"operator": "OR"
}
]
}
]