CVE-2020-28884: 
Liferay Portal vulnerability analysis and mitigation

CVE-2020-28884 is a disputed OS Command Injection vulnerability affecting Liferay Portal Server versions 7.3.5 GA6 and 7.2.0 GA1. The vulnerability allows administrator users to inject Groovy scripts to execute arbitrary OS commands on the Liferay Portal Server. The issue was discovered in November 2020, but Liferay disputes this as a vulnerability since it is an intended feature for administrators to run Groovy scripts (NVD).

The vulnerability exists in the Script Console functionality accessible via the Server Administration panel. An administrator can execute arbitrary OS commands by injecting Groovy scripts through the Script Console interface. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating high impact but requiring administrative privileges (NVD).

If exploited, the vulnerability allows administrators to execute arbitrary operating system commands on the Liferay Portal Server. This could potentially lead to complete system compromise within the scope of the server's permissions. However, since this requires administrative access and is considered an intended feature by Liferay, the real-world impact is disputed (NVD).

Since this is a disputed vulnerability and considered an intended feature by Liferay, the primary mitigation is to properly restrict access to administrative functions. The Script Console should only be accessible to trusted administrators as it is designed for system operations and maintenance, not for end users (Liferay Docs).