Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLiferay Portal
APPLiferay< 7.2.1
CISA KEV — detailsi
- Vendori
- Liferay
- Producti
- Liferay Portal
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
Required action (CISA)i
Apply updates per vendor instructions.
CISA descriptioni
Liferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services.
🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
⏰CISA DEADLINE: 3 maja 2022
Tags
RCEDeserialization
References
Related vulnerabilities
CVE-2024-8980CRITICAL9.6PL ✓ten sam produkt
Liferay Portal/DXP: CSRF w Script Console umożliwia wykonanie kodu Groovy
CVE-2024-38002CRITICAL9.0PL ✓ten sam produkt
RCE w komponencie workflow Liferay Portal i DXP — brak weryfikacji uprawnień
CVE-2023-47795CRITICAL9.0PL ✓ten sam produkt
Stored XSS w widżecie Document and Media platformy Liferay
CVE-2023-42496CRITICAL9.6PL ✓ten sam produkt
Reflected XSS w Liferay Portal i DXP na stronie przypisywania ról
CVE-2023-40191CRITICAL9.0PL ✓ten sam produkt
Reflected XSS w ustawieniach kont Liferay Portal i DXP