Skip to main content

CVE-2023-47798: CWE-384 Session Fixation in Liferay Portal

Medium
VulnerabilityCVE-2023-47798cvecve-2023-47798cwe-384
Published: Thu Feb 08 2024 (02/08/2024, 02:55:43 UTC)
Source: CVE
Vendor/Project: Liferay
Product: Portal

Description

Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

AI-Powered Analysis

AILast updated: 07/04/2025, 19:09:55 UTC

Technical Analysis

CVE-2023-47798 is a medium-severity vulnerability classified under CWE-384 (Session Fixation) affecting Liferay Portal versions 7.2.0 through 7.3.0, including Liferay DXP 7.2 prior to fix pack 5, as well as older unsupported versions. The vulnerability arises from the failure of the account lockout mechanism to invalidate existing user sessions. Specifically, when an account is locked out—typically due to multiple failed login attempts—the system does not terminate active sessions associated with that account. This allows remote authenticated users who already have an active session to remain authenticated and continue accessing the portal despite the account being locked. The CVSS 3.1 base score is 5.4 (medium), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating that the vulnerability can be exploited remotely without privileges but requires user interaction, and impacts confidentiality and integrity to a limited extent without affecting availability. The core technical issue is that session management does not properly revoke or refresh session tokens upon account lockout, enabling session fixation-like persistence of access. No known exploits are currently reported in the wild, and no official patches are linked in the provided data, though fix packs exist for some versions. This vulnerability could be leveraged by attackers who have obtained valid credentials or have active sessions to maintain unauthorized access even after the account is locked, potentially facilitating further unauthorized actions or data exposure within the Liferay Portal environment.

Potential Impact

For European organizations using Liferay Portal, especially versions 7.2.0 through 7.3.0 or older unsupported versions, this vulnerability poses a risk of unauthorized prolonged access by malicious insiders or external attackers who have gained valid credentials or active sessions. The failure to invalidate sessions after account lockout undermines the effectiveness of security controls designed to prevent brute force or credential stuffing attacks. This could lead to unauthorized access to sensitive corporate data, user information, or internal resources managed through the portal. Confidentiality and integrity of data are at risk, although availability is not directly impacted. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if unauthorized access leads to data breaches. The vulnerability also complicates incident response and account recovery processes, as locked accounts do not guarantee session termination. Given the widespread use of Liferay Portal in European enterprises for intranet, extranet, and public-facing websites, the potential impact includes reputational damage, regulatory penalties under GDPR, and operational disruptions if attackers leverage persistent sessions for lateral movement or privilege escalation.

Mitigation Recommendations

European organizations should prioritize upgrading to the latest Liferay Portal versions or applying the relevant fix packs that address this vulnerability, specifically moving beyond versions 7.2.0 through 7.3.0 and ensuring Liferay DXP 7.2 is updated past fix pack 5. In the absence of immediate patches, organizations should implement compensating controls such as enforcing strict session timeout policies and manual session invalidation upon account lockout events. Monitoring and alerting on concurrent sessions per user can help detect anomalies indicative of session persistence post-lockout. Additionally, integrating multi-factor authentication (MFA) reduces the risk of credential compromise leading to active sessions. Security teams should audit session management configurations and consider custom development or scripting to forcibly terminate sessions when accounts are locked. Regular security assessments and penetration testing focused on session management can identify exploitation attempts. Finally, educating users and administrators about the risks of session persistence and the importance of logging out after use can reduce exposure.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Liferay
Date Reserved
2023-11-10T01:49:20.188Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fa1484d88663aec3ac

Added to database: 5/20/2025, 6:59:06 PM

Last enriched: 7/4/2025, 7:09:55 PM

Last updated: 8/17/2025, 9:04:47 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats