Listen to this Post
The vulnerability exists in the `/api/jsonws/invoke` endpoint of Liferay DXP/Portal. It allows unauthenticated remote code execution due to unsafe Java deserialization of untrusted data. The core issue is within the UserProfilePhotoUploadServlet, which improperly handles serialized objects. An attacker can send a crafted HTTP POST request containing a malicious serialized Java object in the `image` parameter. When this payload is desorbed by the vulnerable server, it triggers the execution of arbitrary code within the context of the Liferay application server. This bypasses all authentication mechanisms, granting the attacker full control over the target system. The exploit leverages gadget chains present in the application’s classpath to achieve code execution.
Platform: Liferay DXP
Version: < 7.4.3.112
Vulnerability: RCE
Severity: Critical
date: 2023-06-15
Prediction: 2023-07-20
What Undercode Say:
Analytics
curl -s "http://target/api/jsonws/invoke" | grep -i "error" nmap -p 8080 --script http-vuln-cve2023-33953 target searchsploit liferay 2023 python3 poc.py --url http://target
How Exploit:
POST /api/jsonws/invoke HTTP/1.1 cmd=serialized_gadget_chain
Protection from this CVE
Apply vendor patch.
Upgrade to 7.4.3.112+.
Use WAF rules.
Impact:
Full system compromise.
Data breach.
Service disruption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

