CVE-2020-28884

Source
https://cve.org/CVERecord?id=CVE-2020-28884
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28884.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-28884
Published
2022-01-28T12:15:07.913Z
Modified
2026-07-08T20:42:27.183208Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.

References

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type
GIT
Repo
https://github.com/liferay/liferay-portal
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:liferay:liferay_portal:7.2:ga1:*:*:community:*:*:*",
        "cpe:2.3:a:liferay:liferay_portal:7.3.5:ga6:*:*:community:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "7.2-ga1"
        },
        {
            "last_affected": "7.2-ga1"
        },
        {
            "introduced": "7.3.5-ga6"
        },
        {
            "last_affected": "7.3.5-ga6"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

7.*
7.2-ga1
7.3.5-ga6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28884.json"