Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
References
Configurations
History
21 Nov 2024, 05:38
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html - Third Party Advisory, VDB Entry | |
References | () http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html - Third Party Advisory, VDB Entry | |
References | () https://portal.liferay.dev/learn/security/known-vulnerabilities - Vendor Advisory | |
References | () https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271 - Vendor Advisory | |
References | () https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ - Exploit, Third Party Advisory |
Information
Published : 2020-03-20 19:15
Updated : 2024-11-21 05:38
NVD link : CVE-2020-7961
Mitre link : CVE-2020-7961
CVE.ORG link : CVE-2020-7961
JSON object : View
Products Affected
liferay
- liferay_portal
CWE
CWE-502
Deserialization of Untrusted Data