CVE-2020-28885: 
Liferay Portal vulnerability analysis and mitigation

CVE-2020-28885 affects Liferay Portal Server versions 7.3.5 GA6 and 7.2.0 GA1, where an administrator user can execute arbitrary OS commands through the Gogo Shell module. This command injection vulnerability was discovered and disclosed in November 2020 (Medium Blog, NVD).

The vulnerability exists in the Gogo Shell module, which is accessible through the Liferay Portal control panel. While the module is designed to provide interaction with the module framework through predefined commands, it fails to properly validate input, allowing administrators to execute arbitrary OS commands that go beyond the intended functionality (Medium Blog).

When exploited, this vulnerability allows administrator users to execute any operating system command on the Liferay Portal Server. This could lead to complete server compromise within the context of the running application (NVD).

The vulnerability has been disputed, suggesting that administrator access to execute commands might be intended functionality. However, organizations should carefully evaluate whether to restrict access to the Gogo Shell module and implement additional validation mechanisms to check which commands can be executed (NVD).