Description

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever.

Remediation

References

CVE-2020-28884

Related Vulnerabilities

Magento Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2021-21024)

Oracle JRE CVE-2023-21830 Vulnerability (CVE-2023-21830)

WordPress Plugin Duplicator-WordPress Migration Cross-Site Scripting (1.2.32)

WordPress Plugin Delete All Comments Cross-Site Request Forgery (1.0)

WordPress Plugin SendPress Newsletters Multiple Vulnerabilities (1.1.7.21)

Severity

High

Classification

CVE-2020-28884 CWE-138

Tags

Missing Update Known Vulnerabilities