Description
The Liferay JSON implementation do not check if a user that call a method on a serviceClass is disabled. Usually the default administrator user, test@liferay.com, is used to create a new administrator and disabled without to change the default password, so it is possible to use it to execute JSON API calls.
Remediation
Upgrade to the latest version of Liferay.
References
Related Vulnerabilities
GlassFish CVE-2016-3608 Vulnerability (CVE-2016-3608)
Squid CVE-2018-1000024 Vulnerability (CVE-2018-1000024)
WordPress Plugin ARMember-Content Restriction & Membership Security Bypass (1.4)
Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-5304)
PleskWin URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2023-24044)