CVE-2020-7961

Name of the Vulnerable Software and Affected Versions Liferay Portal versions prior to 7.2.1 CE GA2

Description The issue is related to the deserialization of untrusted data in Liferay Portal, which allows remote attackers to execute arbitrary code via JSON web services (JSONWS). This is due to shortcomings in the deserialization mechanism. The exploitation of this issue can enable a remote attacker to execute arbitrary code.

Recommendations For versions prior to 7.2.1 CE GA2, update to version 7.2.1 CE GA2 or later to resolve the issue. As a temporary workaround, consider restricting access to the JSONWS services until a patch is applied. Avoid using the JSONWS services for untrusted data until the issue is resolved.