Description

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever.

Remediation

References

CVE-2020-28885

Related Vulnerabilities

Ruby Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-16255)

OpenSSL Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2015-0292)

WordPress Plugin Simple Download Monitor Multiple Cross-Site Scripting Vulnerabilities (3.9.4)

WordPress Plugin Fancy Product Designer-WooCommerce Cross-Site Request Forgery (4.7.5)

Oracle Database Server CVE-2015-4925 Vulnerability (CVE-2015-4925)

Severity

High

Classification

CVE-2020-28885 CWE-138

Tags

Missing Update Known Vulnerabilities