9.8
CVE-2020-7961
- EPSS 94.41%
- Published 20.03.2020 19:15:12
- Last modified 14.03.2025 20:38:00
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Data is provided by the National Vulnerability Database (NVD)
Liferay ≫ Liferay Portal SwEditioncommunity Version < 7.2.1
03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog
Liferay Portal Deserialization of Untrusted Data Vulnerability
VulnerabilityLiferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services.
DescriptionApply updates per vendor instructions.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.41% | 0.999 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.