Liferay Digital Experience Platform, Remote Code Execution, CVE-2023-33953 (Critical)

Listen to this Post

The vulnerability exists in the `/api/jsonws/invoke` endpoint of Liferay DXP/Portal. It allows unauthenticated remote code execution due to unsafe Java deserialization of untrusted data. The core issue is within the UserProfilePhotoUploadServlet, which improperly handles serialized objects. An attacker can send a crafted HTTP POST request containing a malicious serialized Java object in the `image` parameter. When this payload is desorbed by the vulnerable server, it triggers the execution of arbitrary code within the context of the Liferay application server. This bypasses all authentication mechanisms, granting the attacker full control over the target system. The exploit leverages gadget chains present in the application’s classpath to achieve code execution.
Platform: Liferay DXP
Version: < 7.4.3.112
Vulnerability: RCE
Severity: Critical
date: 2023-06-15

Prediction: 2023-07-20

What Undercode Say:

Analytics

curl -s "http://target/api/jsonws/invoke" | grep -i "error"
nmap -p 8080 --script http-vuln-cve2023-33953 target
searchsploit liferay 2023
python3 poc.py --url http://target

How Exploit:

POST /api/jsonws/invoke HTTP/1.1
cmd=serialized_gadget_chain

Protection from this CVE

Apply vendor patch.

Upgrade to 7.4.3.112+.

Use WAF rules.

Impact:

Full system compromise.

Data breach.

Service disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top