CVE-2020-28884 โ€” OS Command Injection in Portal

CWE-78 โ€” OS Command Injection3 documents3 sources
Severity
7.2HIGHNVD
EPSS
3.8%
top 11.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Liferay Portal
Timeline
PublishedJan 28
Latest updateJan 29

Description

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

โ–ถNVDliferay/liferay_portal7.2, 7.3.5+1

๐Ÿ”ดVulnerability Details

2
GHSA
GHSA-9xmw-jrc5-v3fp: Liferay Portal Server tested on 7โ†—2022-01-29
โ–ถ
CVEList
CVE-2020-28884: Liferay Portal Server tested on 7โ†—2022-01-28
โ–ถ
CVE-2020-28884 โ€” OS Command Injection in Liferay Portal | cvebase