CVE-2023-47798 is a medium-severity vulnerability classified under CWE-384 (Session Fixation) affecting Liferay Portal versions 7.2.0 through 7.3.0, including Liferay DXP 7.2 prior to fix pack 5, as well as older unsupported versions. The vulnerability arises from the failure of the account lockout mechanism to invalidate existing user sessions. Specifically, when an account is locked out—typically due to multiple failed login attempts—the system does not terminate active sessions associated with that account. This allows remote authenticated users who already have an active session to remain authenticated and continue accessing the portal despite the account being locked. The CVSS 3.1 base score is 5.4 (medium), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating that the vulnerability can be exploited remotely without privileges but requires user interaction, and impacts confidentiality and integrity to a limited extent without affecting availability. The core technical issue is that session management does not properly revoke or refresh session tokens upon account lockout, enabling session fixation-like persistence of access. No known exploits are currently reported in the wild, and no official patches are linked in the provided data, though fix packs exist for some versions. This vulnerability could be leveraged by attackers who have obtained valid credentials or have active sessions to maintain unauthorized access even after the account is locked, potentially facilitating further unauthorized actions or data exposure within the Liferay Portal environment.

For European organizations using Liferay Portal, especially versions 7.2.0 through 7.3.0 or older unsupported versions, this vulnerability poses a risk of unauthorized prolonged access by malicious insiders or external attackers who have gained valid credentials or active sessions. The failure to invalidate sessions after account lockout undermines the effectiveness of security controls designed to prevent brute force or credential stuffing attacks. This could lead to unauthorized access to sensitive corporate data, user information, or internal resources managed through the portal. Confidentiality and integrity of data are at risk, although availability is not directly impacted. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if unauthorized access leads to data breaches. The vulnerability also complicates incident response and account recovery processes, as locked accounts do not guarantee session termination. Given the widespread use of Liferay Portal in European enterprises for intranet, extranet, and public-facing websites, the potential impact includes reputational damage, regulatory penalties under GDPR, and operational disruptions if attackers leverage persistent sessions for lateral movement or privilege escalation.

European organizations should prioritize upgrading to the latest Liferay Portal versions or applying the relevant fix packs that address this vulnerability, specifically moving beyond versions 7.2.0 through 7.3.0 and ensuring Liferay DXP 7.2 is updated past fix pack 5. In the absence of immediate patches, organizations should implement compensating controls such as enforcing strict session timeout policies and manual session invalidation upon account lockout events. Monitoring and alerting on concurrent sessions per user can help detect anomalies indicative of session persistence post-lockout. Additionally, integrating multi-factor authentication (MFA) reduces the risk of credential compromise leading to active sessions. Security teams should audit session management configurations and consider custom development or scripting to forcibly terminate sessions when accounts are locked. Regular security assessments and penetration testing focused on session management can identify exploitation attempts. Finally, educating users and administrators about the risks of session persistence and the importance of logging out after use can reduce exposure.