WEB APPLICATION VULNERABILITIES Standard & Premium

Liferay JSON service API authentication vulnerability

Description

The Liferay JSON implementation do not check if a user that call a method on a serviceClass is disabled. Usually the default administrator user, test@liferay.com, is used to create a new administrator and disabled without to change the default password, so it is possible to use it to execute JSON API calls.

Remediation

Upgrade to the latest version of Liferay.

References

Liferay JSON service API authentication vulnerability

Liferay homepage

Related Vulnerabilities

Jenkins Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2021-21605)

Django Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2011-0697)

PHP Incorrect Calculation of Buffer Size Vulnerability (CVE-2008-0599)

Roundcube Cross-site Request Forgery (CSRF) Vulnerability (CVE-2016-4069)

Oracle Application Server CVE-2007-5517 Vulnerability (CVE-2007-5517)

Severity

High

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Authentication Bypass Known Vulnerabilities