CVE-2020-28884

Name of the Vulnerable Software and Affected Versions Liferay Portal Server versions 7.2.0 GA1 through 7.3.5 GA6

Description The issue allows an administrator user to inject Groovy script, enabling the execution of any OS command on the Liferay Portal Server. This is disputed by the developer as it is considered a feature for administrators to run Groovy scripts, rather than a design flaw.

Recommendations For versions 7.2.0 GA1 through 7.3.5 GA6, consider restricting the ability to inject Groovy scripts to minimize the risk of unauthorized OS command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.