CVE-2019-16891

CRITICAL

Liferay Portal CE 6.2.5 - Code Injection

Title source: llm

Description

Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.

Exploits (1)

nomisec STUB

by rai0ffs3c · poc

https://github.com/rai0ffs3c/CVE-2019-16891-Liferay-deserialization-RCE

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://dappsec.substack.com/p/an-advisory-for-cve-2019-16891-from

[Exploit, Third Party Advisory] https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/

[Product, Release Notes] https://www.liferay.com/downloads-community

[Exploit] https://www.youtube.com/watch?v=DjMEfQW3bf0

Scores

CVSS v3 9.8

EPSS 0.7956

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (50)

liferay/liferay_portal < 6.0.6

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

liferay/liferay_portal

... and 35 more

Timeline

Published Oct 04, 2019

Tracked Since Feb 18, 2026