Liferay JSON service API authentication vulnerability

Description
  • The Liferay JSON implementation do not check if a user that call a method on a serviceClass is disabled. Usually the default administrator user, test@liferay.com, is used to create a new administrator and disabled without to change the default password, so it is possible to use it to execute JSON API calls.
Remediation
  • Upgrade to the latest version of Liferay.
References