In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property `company.security.strangers.verify` should be set to true.

Affected Packages

Maven com.liferay.portal:release.portal.bom

Affected versions: 7.0.0 (fixed in 7.3.1)

Related CVEs

CVE-2023-33949

Key Information

GHSA ID

GHSA-g9mr-9xfc-4gf7

Published

May 24, 2023 6:30 PM

Last Modified

May 24, 2023 9:53 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

com.liferay.portal:release.portal.bom

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.