First published: Mon Apr 22 2019(Updated: )
** DISPUTED ** An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Liferay Portal | =7.1.2-ga3 | |
=7.1.2-ga3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.