Moderate severityNVD Advisory· Published Feb 8, 2024· Updated May 15, 2025

CVE-2023-47798

Description

Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:release.portal.bomMaven	>= 7.2.0, < 7.3.1	7.3.1
com.liferay.portal:release.dxp.bomMaven	>= 7.2.0, < 7.2.10.fp5	7.2.10.fp5

Affected products

Liferay/Portalv5
Range: 7.2.0
Liferay/DXPv5
Range: 7.2.10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-2mx7-xvfg-fg53ghsaADVISORY
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47798ghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-47798ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000