CVE-2023-47798

Published: Feb 8, 2024Modified: Nov 21, 2024

4.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Exploitability: 2.1 / Impact: 2.5

Source: NVD

Description

Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

Affected (7)

Products: Liferay: Digital Experience Platform, Liferay Portal

Liferay

2 products

Digital Experience Platform

Liferay Portal

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Before 7.2
Liferay Digital Experience Platform	Version 7.2
Liferay Digital Experience Platform	Version 7.2 fix_pack_1
Liferay Digital Experience Platform	Version 7.2 fix_pack_2
Liferay Digital Experience Platform	Version 7.2 fix_pack_3
Liferay Digital Experience Platform	Version 7.2 fix_pack_4
Liferay Liferay Portal	From 7.2.0 to 7.3.0

Related CWEs

CWE-384

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References (2)

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798

Source: security@liferay.com

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.