Liferay JSON service API authentication vulnerability

  • The Liferay JSON implementation do not check if a user that call a method on a serviceClass is disabled. Usually the default administrator user,, is used to create a new administrator and disabled without to change the default password, so it is possible to use it to execute JSON API calls.
  • Upgrade to the latest version of Liferay.