CVE-2019-11444

Name of the Vulnerable Software and Affected Versions Liferay Portal CE version 7.1.2 GA3

Description An issue in Liferay Portal CE allows an attacker to execute OS commands using the Groovy script console. This can be achieved via a command.execute() call. The attacker needs valid credentials for an application administrator user account to exploit this issue. The exploitation can be demonstrated by setting "def cmd =" in the ServerAdminPortlet script value to group/control panel/manage.

Recommendations For Liferay Portal CE version 7.1.2 GA3, consider restricting access to the Groovy script console to minimize the risk of exploitation. As a temporary workaround, limit the use of the command.execute() call in the Groovy script console until a more robust solution is available.