← back
CVE-2019-11444

CVE-2019-11444

EPSS 12.8%
An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw
Affected products
n/a · n/a
public PoCs found1
cve_referencewww.exploit-db.com/exploits/46525unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://dev.liferay.com/discover/portal/-/knowledge_base/7-1/running-scripts-from-the-script-consolehttps://pentest.com.tr/exploits/Liferay-CE-Portal-Tomcat-7-1-2-ga3-Groovy-Console-Remote-Command-Execution-Metasploit.htmlhttps://www.exploit-db.com/exploits/46525