CVE-2023-47798
MEDIUM5.4EPSS 0.19%Liferay Portal's account lockout does not invalidate existing user sessions
發布日:2024/2/8修改日:2024/10/3
描述
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.
受影響套件(2)
- Maven/com.liferay.portal:release.dxp.bom>= 7.2.0, < 7.2.10.fp5
- Maven/com.liferay.portal:release.portal.bom>= 7.2.0, < 7.3.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |