Description

** DISPUTED ** An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.

Remediation

References

CVE-2019-11444

Related Vulnerabilities

WordPress Plugin Events Made Easy PHP Object Injection (2.0.52)

Dolibarr Improper Input Validation Vulnerability (CVE-2013-2093)

PHP Other Vulnerability (CVE-2000-0860)

MySQL CVE-2014-6464 Vulnerability (CVE-2014-6464)

WordPress Plugin LifterLMS-WP LMS for eLearning, Online Courses, & Quizzes Security Bypass (3.34.5)

Severity

High

Classification

CVE-2019-11444 CWE-138

Tags

Missing Update Known Vulnerabilities