GitHub Advisory DatabaseGHSA-97GM-MCV6-CPHMShell command injection in Liferay Portal
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
71.1%
Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| com.liferay.portal:portal-service | lt | 6.2.11 | |
| com.liferay.portal:portal-impl | lt | 6.2.11 |
References
dev.liferay.com/web/community-security-team/known-vulnerabilities
dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/lps-64547-remote-code-execution-and-privilege-escalation-in-templates
github.com/advisories/GHSA-97gm-mcv6-cphm
github.com/liferay/liferay-portal/commit/90c4e85a8f8135f069f3f05e4d54a77704769f91
issues.liferay.com/browse/LPE-14964
issues.liferay.com/browse/LPS-64547
issues.liferay.com/browse/LPS-7087
nvd.nist.gov/vuln/detail/CVE-2010-5327
Related
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
71.1%