CVE-2023-47798: CWE-384 Session Fixation in Liferay Portal
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.
AI Analysis
Technical Summary
CVE-2023-47798 is a medium-severity vulnerability classified under CWE-384 (Session Fixation) affecting Liferay Portal versions 7.2.0 through 7.3.0, including Liferay DXP 7.2 prior to fix pack 5, as well as older unsupported versions. The vulnerability arises from the failure of the account lockout mechanism to invalidate existing user sessions. Specifically, when an account is locked out—typically due to multiple failed login attempts—the system does not terminate active sessions associated with that account. This allows remote authenticated users who already have an active session to remain authenticated and continue accessing the portal despite the account being locked. The CVSS 3.1 base score is 5.4 (medium), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating that the vulnerability can be exploited remotely without privileges but requires user interaction, and impacts confidentiality and integrity to a limited extent without affecting availability. The core technical issue is that session management does not properly revoke or refresh session tokens upon account lockout, enabling session fixation-like persistence of access. No known exploits are currently reported in the wild, and no official patches are linked in the provided data, though fix packs exist for some versions. This vulnerability could be leveraged by attackers who have obtained valid credentials or have active sessions to maintain unauthorized access even after the account is locked, potentially facilitating further unauthorized actions or data exposure within the Liferay Portal environment.
Potential Impact
For European organizations using Liferay Portal, especially versions 7.2.0 through 7.3.0 or older unsupported versions, this vulnerability poses a risk of unauthorized prolonged access by malicious insiders or external attackers who have gained valid credentials or active sessions. The failure to invalidate sessions after account lockout undermines the effectiveness of security controls designed to prevent brute force or credential stuffing attacks. This could lead to unauthorized access to sensitive corporate data, user information, or internal resources managed through the portal. Confidentiality and integrity of data are at risk, although availability is not directly impacted. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if unauthorized access leads to data breaches. The vulnerability also complicates incident response and account recovery processes, as locked accounts do not guarantee session termination. Given the widespread use of Liferay Portal in European enterprises for intranet, extranet, and public-facing websites, the potential impact includes reputational damage, regulatory penalties under GDPR, and operational disruptions if attackers leverage persistent sessions for lateral movement or privilege escalation.
Mitigation Recommendations
European organizations should prioritize upgrading to the latest Liferay Portal versions or applying the relevant fix packs that address this vulnerability, specifically moving beyond versions 7.2.0 through 7.3.0 and ensuring Liferay DXP 7.2 is updated past fix pack 5. In the absence of immediate patches, organizations should implement compensating controls such as enforcing strict session timeout policies and manual session invalidation upon account lockout events. Monitoring and alerting on concurrent sessions per user can help detect anomalies indicative of session persistence post-lockout. Additionally, integrating multi-factor authentication (MFA) reduces the risk of credential compromise leading to active sessions. Security teams should audit session management configurations and consider custom development or scripting to forcibly terminate sessions when accounts are locked. Regular security assessments and penetration testing focused on session management can identify exploitation attempts. Finally, educating users and administrators about the risks of session persistence and the importance of logging out after use can reduce exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden
CVE-2023-47798: CWE-384 Session Fixation in Liferay Portal
Description
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.
AI-Powered Analysis
Technical Analysis
CVE-2023-47798 is a medium-severity vulnerability classified under CWE-384 (Session Fixation) affecting Liferay Portal versions 7.2.0 through 7.3.0, including Liferay DXP 7.2 prior to fix pack 5, as well as older unsupported versions. The vulnerability arises from the failure of the account lockout mechanism to invalidate existing user sessions. Specifically, when an account is locked out—typically due to multiple failed login attempts—the system does not terminate active sessions associated with that account. This allows remote authenticated users who already have an active session to remain authenticated and continue accessing the portal despite the account being locked. The CVSS 3.1 base score is 5.4 (medium), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating that the vulnerability can be exploited remotely without privileges but requires user interaction, and impacts confidentiality and integrity to a limited extent without affecting availability. The core technical issue is that session management does not properly revoke or refresh session tokens upon account lockout, enabling session fixation-like persistence of access. No known exploits are currently reported in the wild, and no official patches are linked in the provided data, though fix packs exist for some versions. This vulnerability could be leveraged by attackers who have obtained valid credentials or have active sessions to maintain unauthorized access even after the account is locked, potentially facilitating further unauthorized actions or data exposure within the Liferay Portal environment.
Potential Impact
For European organizations using Liferay Portal, especially versions 7.2.0 through 7.3.0 or older unsupported versions, this vulnerability poses a risk of unauthorized prolonged access by malicious insiders or external attackers who have gained valid credentials or active sessions. The failure to invalidate sessions after account lockout undermines the effectiveness of security controls designed to prevent brute force or credential stuffing attacks. This could lead to unauthorized access to sensitive corporate data, user information, or internal resources managed through the portal. Confidentiality and integrity of data are at risk, although availability is not directly impacted. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if unauthorized access leads to data breaches. The vulnerability also complicates incident response and account recovery processes, as locked accounts do not guarantee session termination. Given the widespread use of Liferay Portal in European enterprises for intranet, extranet, and public-facing websites, the potential impact includes reputational damage, regulatory penalties under GDPR, and operational disruptions if attackers leverage persistent sessions for lateral movement or privilege escalation.
Mitigation Recommendations
European organizations should prioritize upgrading to the latest Liferay Portal versions or applying the relevant fix packs that address this vulnerability, specifically moving beyond versions 7.2.0 through 7.3.0 and ensuring Liferay DXP 7.2 is updated past fix pack 5. In the absence of immediate patches, organizations should implement compensating controls such as enforcing strict session timeout policies and manual session invalidation upon account lockout events. Monitoring and alerting on concurrent sessions per user can help detect anomalies indicative of session persistence post-lockout. Additionally, integrating multi-factor authentication (MFA) reduces the risk of credential compromise leading to active sessions. Security teams should audit session management configurations and consider custom development or scripting to forcibly terminate sessions when accounts are locked. Regular security assessments and penetration testing focused on session management can identify exploitation attempts. Finally, educating users and administrators about the risks of session persistence and the importance of logging out after use can reduce exposure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Liferay
- Date Reserved
- 2023-11-10T01:49:20.188Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aec3ac
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 7:09:55 PM
Last updated: 8/16/2025, 3:01:20 PM
Views: 14
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.