Liferay Portal
CVE-2019-11444
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw
AnalysisAI
An issue was discovered in Liferay Portal CE 7.1.2 GA3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw Affected products include: Liferay Liferay Portal.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.
More in Liferay Portal
View allDeserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary c
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024
Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload. Rated critical sev
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6
Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous
Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025
A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Lifera
In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 be
A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 befor
A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today