CVE-2020-28885
HIGHLiferay Portal 7.2.0 GA1 and 7.3.5 GA6 - Authenticated OS Command Injection via Gogo Shell Module
Title source: llmDescription
Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design fla
References (1)
Core 1
Core References
Various Sources x_refsource_misc
https://medium.com/%40tranpdanh/some-way-to-execute-os-command-in-liferay-portal-84498bde18d3
Scores
CVSS v3
7.2
EPSS
0.0081
EPSS Percentile
74.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
liferay/liferay_portal
7.2 ga1
liferay/liferay_portal
7.3.5 ga6
Published
Jan 28, 2022
Tracked Since
Feb 18, 2026