Unrated severityNVD Advisory· Published Jan 28, 2022· Updated Aug 4, 2024

CVE-2020-28884

Description

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.

Affected products

Liferay/Liferay Portal Serverdescription
Liferay/Liferay Portal Serverllm-fuzzy
Range: 7.2.0 GA1, 7.3.5 GA6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

learn.liferay.com/dxp/latest/en/system-administration/using-the-script-engine/running-scripts-from-the-script-console.htmlmitre
medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000