CVE-2023-47798

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-47798
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798 Vendor Advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
History

21 Nov 2024, 08:30

Type Values Removed Values Added
References () https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798 - Vendor Advisory () https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798 - Vendor Advisory
CVSS v2 : unknown
v3 : 4.6 		v2 : unknown
v3 : 5.4

03 Oct 2024, 18:13

Type Values Removed Values Added
CPE cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 5.4 		v2 : unknown
v3 : 4.6
First Time Liferay
Liferay digital Experience Platform
Liferay liferay Portal
Summary
  • (es) El bloqueo de cuentas en Liferay Portal 7.2.0 a 7.3.0 y versiones anteriores no compatibles, y Liferay DXP 7.2 anterior al fixpack 5 y versiones anteriores no compatibles no invalida las sesiones de usuario existentes, lo que permite a los usuarios autenticados remotamente permanecer autenticados después de que se haya bloqueado una cuenta.
References () https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798 - () https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798 - Vendor Advisory

08 Feb 2024, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-08 03:15

Updated : 2024-11-21 08:30

NVD link : CVE-2023-47798

Mitre link : CVE-2023-47798

CVE.ORG link : CVE-2023-47798

JSON object : View

Products Affected

liferay

  • liferay_portal
  • digital_experience_platform
CWE
CWE-384

Session Fixation