Description

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever.

Remediation

References

CVE-2020-28884

Related Vulnerabilities

PHP Use of Externally-Controlled Format String Vulnerability (CVE-2009-3294)

PHP Address Book Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2009-2608)

WordPress Plugin Zingiri Web Shop 'ajax_save_name.php' Remote Code Execution (2.2.3)

WordPress Plugin MasterStudy LMS-for Online Courses and Education Privilege Escalation (3.3.1)

WordPress 'wp-admin/admin.php' Module Configuration Security Bypass Vulnerability (0.6.2 - 2.8)

Severity

High

Classification

CVE-2020-28884 CWE-138

Tags

Missing Update Known Vulnerabilities