Description
A remote code execution vulnerability exists in Liferay Portal 6.1 that can be exploited via JSON web services (JSONWS).
The JSONWS servlet of Liferay Portal uses flexjson library that allows the instantiation of arbitrary classes and invocation of arbitrary setter methods.
Remediation
Upgrade to the latest version of Liferay Portal.
References
Related Vulnerabilities
VMware Aria Operations for Networks RCE (CVE-2023-20887)
WordPress Plugin WP-Filebase Download Manager Remote Code Execution (0.3.0.03)
ColdFusion AMF Deserialization RCE
Jboss Application Server HTTPServerILServlet.java remote code execution
RCE in Ivanti Connect Secure and Policy Secure (CVE-2024-21887)