Description

** DISPUTED ** An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.

Remediation

References

CVE-2019-11444

Related Vulnerabilities

MySQL CVE-2016-0596 Vulnerability (CVE-2016-0596)

Oracle Application Server Other Vulnerability (CVE-2007-0281)

WordPress Plugin Hungred Post Thumbnail 'hpt_file_upload.php' Arbitrary File Upload (2.1.9)

Moodle Exposure of Resource to Wrong Sphere Vulnerability (CVE-2021-43560)

Liferay DXP Incorrect Authorization Vulnerability (CVE-2024-25604)

Severity

High

Classification

CVE-2019-11444 CWE-138

Tags

Missing Update Known Vulnerabilities