CVE-2023-47798
Liferay Portal's account lockout does not invalidate existing user sessions
5.4
MEDIUM
CVSS 3.1
EPSS 0.19%
Description
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.
How to fix CVE-2023-47798
To remediate CVE-2023-47798, upgrade the affected package to a fixed version below.
- —upgrade to 7.2.10.fp5 or later
- —upgrade to 7.3.1 or later
Is CVE-2023-47798 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 7.2.0, < 7.2.10.fp5
- >= 7.2.0, < 7.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |