Security restrictions bypass in Liferay Enterprise Portal - #VU16010
Published: November 22, 2018 / Updated: November 22, 2018
Vulnerability identifier: #VU16010
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Liferay
Affected software:
Liferay Enterprise Portal
Liferay Enterprise Portal
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists in session management functionality when processing password changes. If the user has multiple active sessions on the website, these sessions are not terminated, when the user changes the password. As a result, if an attacker is able to compromise a user’s session, password change will not protect from unauthorized usage of the compromised session in the future.
The vulnerability exists in session management functionality when processing password changes. If the user has multiple active sessions on the website, these sessions are not terminated, when the user changes the password. As a result, if an attacker is able to compromise a user’s session, password change will not protect from unauthorized usage of the compromised session in the future.
Remediation
Update to version 7.1.1.