Description
The Liferay JSON implementation do not check if a user that call a method on a serviceClass is disabled. Usually the default administrator user, test@liferay.com, is used to create a new administrator and disabled without to change the default password, so it is possible to use it to execute JSON API calls.
Remediation
Upgrade to the latest version of Liferay.
References
Related Vulnerabilities
TYPO3 Uncontrolled Recursion Vulnerability (CVE-2022-23500)
Craft CMS Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2018-3814)
Sqlite NULL Pointer Dereference Vulnerability (CVE-2019-19242)
CakePHP Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2015-8379)
WordPress Plugin iThemes Security (formerly Better WP Security) Security Bypass (7.9.0)