PT-2022-8910 · Liferay · Liferay Portal Server
Published
2022-01-28
·
Updated
2024-08-04
·
CVE-2020-28885
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Liferay Portal Server versions 7.2.0 GA1 through 7.3.5 GA6
Description
The issue allows an administrator user to inject commands through the Gogo Shell module, enabling the execution of any OS command on the Liferay Portal Server. This is disputed by the developer as it is considered a feature for administrators to access and execute commands in Gogo Shell.
Recommendations
For versions 7.2.0 GA1 through 7.3.5 GA6, consider restricting access to the Gogo Shell module to minimize the risk of exploitation. As a temporary workaround, consider disabling the Gogo Shell module until a resolution is determined.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Portal Server