CVE-2011-1571 — Liferay Portal vulnerable to arbitrary command injection

Description

Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors.

How to fix CVE-2011-1571

To remediate CVE-2011-1571, upgrade the affected package to a fixed version below.

Maven/com.liferay.portal:portal-service—upgrade to 6.0.6-ga or later

Is CVE-2011-1571 being exploited?

Moderate — EPSS is 7.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 5.0.0, < 6.0.6-ga

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-1571
PATCHgithub.com/liferay/liferay-portal
WEBissues.liferay.com/browse/LPS-14726
WEBissues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952
WEB