CVE-2023-47798 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=7.2.0 <7.2.10.fp5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00186 pctl0.40614

Details

Liferay Portal's account lockout does not invalidate existing user sessions Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

Metadata

Created: 2024-02-08T03:32:45Z
Modified: 2024-10-03T18:41:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2mx7-xvfg-fg53/GHSA-2mx7-xvfg-fg53.json
CWE IDs: ["CWE-384"]
Alternative ID: GHSA-2mx7-xvfg-fg53
Finding: F062
Auto approve: 1