9.8
CVE-2020-7961
- EPSS 94.41%
- Veröffentlicht 20.03.2020 19:15:12
- Zuletzt bearbeitet 14.03.2025 20:38:00
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Liferay ≫ Liferay Portal SwEditioncommunity Version < 7.2.1
03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog
Liferay Portal Deserialization of Untrusted Data Vulnerability
SchwachstelleLiferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.41% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.