CVE-2020-28885 โ€” OS Command Injection in Portal

CWE-78 โ€” OS Command Injection3 documents3 sources
Severity
7.2HIGHNVD
EPSS
0.8%
top 25.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Liferay Portal
Timeline
PublishedJan 28
Latest updateJan 29

Description

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design fla

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

โ–ถNVDliferay/liferay_portal7.2, 7.3.5+1

๐Ÿ”ดVulnerability Details

2
GHSA
GHSA-p4v3-xxw2-gx2c: Liferay Portal Server tested on 7โ†—2022-01-29
โ–ถ
CVEList
CVE-2020-28885: Liferay Portal Server tested on 7โ†—2022-01-28
โ–ถ
CVE-2020-28885 โ€” OS Command Injection in Liferay Portal | cvebase