Description
A remote code execution vulnerability exists in Liferay Portal 6.1 that can be exploited via JSON web services (JSONWS).
The JSONWS servlet of Liferay Portal uses flexjson library that allows the instantiation of arbitrary classes and invocation of arbitrary setter methods.
Remediation
Upgrade to the latest version of Liferay Portal.
References
Related Vulnerabilities
WordPress Plugin UnGallery 'search' Parameter Remote Arbitrary Command Execution (2.1.5)
Missing Authentication Check in SAP Solution Manager
WordPress Plugin Include Me Remote Code Execution (1.2.1)
WordPress Plugin WooCommerce Remote Code Execution (4.0.1)
WordPress Plugin Custom Content Type Manager Remote Code Execution (0.9.8.5)