CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2020-7961

CVSS 9.8v3.1pub. 2020-03-20upd. 2025-11-07

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Liferay Portal

    APP
    Liferay
    < 7.2.1

CISA KEV — detailsi

Vendori
Liferay
Producti
Liferay Portal
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
May 3, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Liferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 3 maja 2022
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2024-8980CRITICAL9.6PL ✓ten sam produkt

Liferay Portal/DXP: CSRF w Script Console umożliwia wykonanie kodu Groovy

CVE-2024-38002CRITICAL9.0PL ✓ten sam produkt

RCE w komponencie workflow Liferay Portal i DXP — brak weryfikacji uprawnień

CVE-2023-47795CRITICAL9.0PL ✓ten sam produkt

Stored XSS w widżecie Document and Media platformy Liferay

CVE-2023-42496CRITICAL9.6PL ✓ten sam produkt

Reflected XSS w Liferay Portal i DXP na stronie przypisywania ról

CVE-2023-40191CRITICAL9.0PL ✓ten sam produkt

Reflected XSS w ustawieniach kont Liferay Portal i DXP