CVE-2023-33949
Description
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The portal property company.security.strangers.verify should be set to true.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal and DXP default configuration allows unverified email account creation, enabling attackers to register with fake email addresses.
Vulnerability
Description CVE-2023-33949 is a configuration vulnerability in Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier. The default setting for the portal property company.security.strangers.verify is false, meaning that new user registrations do not require email address verification. This allows anyone to create an account using any email address, including fake ones or addresses they do not control [1].
Exploitation
An attacker can exploit this by simply registering a new account on a vulnerable Liferay instance. No authentication or special privileges are needed; the attack can be performed remotely over the network. The absence of email verification means the attacker can use any arbitrary email address, potentially impersonating existing users or creating multiple accounts for abuse [3].
Impact
Successful exploitation grants the attacker a valid account on the Liferay system. Depending on the portal's configuration, this could lead to unauthorized access to restricted content, spam, or further attacks such as privilege escalation if combined with other vulnerabilities. The impact is elevated because the attacker can create accounts without any legitimate email ownership [1][3].
Mitigation
The recommended mitigation is to set the portal property company.security.strangers.verify to true in the portal-ext.properties file. This enforces email verification for new registrations. Liferay has addressed this issue in newer versions; users should upgrade to Liferay Portal 7.4.0 or later, or Liferay DXP 7.3 and later, where the default is true [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.0.0, < 7.3.1 | 7.3.1 |
Affected products
4- osv-coords2 versions
>= 7.0.0, <= 7.0.0+ 1 more
- (no CPE)range: >= 7.0.0, <= 7.0.0
- (no CPE)range: >= 7.0.0, < 7.3.1
- Liferay/DXPv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-g9mr-9xfc-4gf7ghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33949ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-33949ghsaADVISORY
News mentions
0No linked articles in our index yet.