CVE-2010-5327 in Liferay
Summary
by MITRE
Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/13/2026
The vulnerability identified as CVE-2010-5327 represents a critical remote code execution flaw within Liferay Portal versions up to 6.2.10. This vulnerability specifically targets the portal's handling of Velocity templates, which are server-side scripting components used for dynamic content generation and template processing. The flaw enables authenticated attackers to inject malicious shell commands through carefully crafted Velocity template code, potentially compromising the entire portal infrastructure.
The technical exploitation of this vulnerability occurs through the Velocity template engine's insufficient input validation and sanitization mechanisms. When authenticated users submit malicious Velocity template code containing command execution payloads, the portal processes these templates without proper security controls, leading to arbitrary shell command execution on the underlying operating system. This represents a classic server-side template injection vulnerability that bypasses normal access controls and security boundaries.
From an operational impact perspective, this vulnerability exposes organizations to severe security risks including complete system compromise, data exfiltration, and lateral movement within network environments. Attackers can leverage this flaw to establish persistent backdoors, escalate privileges, and access sensitive organizational data stored within the Liferay portal. The authenticated nature of the attack means that even limited user accounts can potentially exploit this vulnerability, making it particularly dangerous for organizations with less restrictive access controls.
The vulnerability aligns with CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and maps to ATT&CK technique T1059.007 for "Command and Scripting Interpreter: PowerShell" and T1059.002 for "Command and Scripting Interpreter: Windows Command Shell." Organizations should implement immediate mitigations including upgrading to patched versions of Liferay Portal, implementing strict template validation controls, and monitoring for unauthorized template modifications. Network segmentation and privileged access controls should be enforced to limit potential damage from successful exploitation attempts.