CVE-2020-28885

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design fla

Published: Jan 28, 2022
Updated: Nov 8, 2023
CVE: CVE-2020-28885
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
liferay / liferay_portal	7.2-ga1	7.2-ga1.x
liferay / liferay_portal	7.3.5-ga6	7.3.5-ga6.x

https://medium.com/@tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3
https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3

Vulnerability Database

290,020

CVE-2020-28885