PatchSiren

PatchSiren cyber security CVE debrief

CVE-2010-5327 Liferay CVE debrief

CVE-2010-5327 is a high-severity authenticated remote code execution issue in Liferay Portal. According to the NVD record, an attacker with valid credentials can abuse a crafted Velocity template to execute arbitrary shell commands. The vulnerable range is listed as Liferay Portal through 6.2.10. The NVD CVSS 3.0 vector rates this as network-exploitable with low attack complexity and high impact to confidentiality, integrity, and availability.

Vendor
Liferay
Product
CVE-2010-5327
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-13
Original CVE updated
2026-05-13
Advisory published
2017-01-13
Advisory updated
2026-05-13

Who should care

Organizations running Liferay Portal, especially environments that allow authenticated users to work with templates or other features exposed to Velocity processing. Security teams, portal administrators, and application owners should treat this as a priority because it combines authenticated access with full system impact.

Technical summary

The NVD entry describes a template-related attack path in Liferay Portal where a remote authenticated user can submit a crafted Velocity template and cause arbitrary shell command execution. NVD assigns CVSS 3.0 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and lists CWE-264 as the primary weakness. The affected CPE range in the record ends at version 6.2.10 inclusive. Vendor references point to Liferay advisories, issue tracker entries, and a fixing commit.

Defensive priority

High. This is a remotely reachable, authenticated RCE with full CIA impact, and it is explicitly listed by NVD with a high CVSS score of 8.8.

Recommended defensive actions

  • Apply the relevant Liferay vendor patch or upgrade path referenced in the Liferay advisory and commit history.
  • Confirm whether any deployed Liferay Portal instance is at or below version 6.2.10 and prioritize remediation.
  • Restrict access to any template editing or Velocity-related functionality to only tightly controlled administrative roles.
  • Review application and system logs for suspicious template changes or unexpected shell command execution around Liferay admin activity.
  • If immediate patching is not possible, reduce exposure by limiting who can authenticate to the affected portal features and by isolating the system as much as practical.

Evidence notes

This debrief is based on the supplied NVD record and the linked official/vendor references. The record states: Liferay Portal through 6.2.10 is vulnerable; remote authenticated users can execute arbitrary shell commands via a crafted Velocity template. The NVD record also provides the CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and references the Liferay advisory, issue tracker items, and the fixing commit.

Official resources

CVE published by NVD on 2017-01-13T19:59:00.137Z and later modified on 2026-05-13T00:24:29.033Z. The supplied record does not provide an exploit publication date or proof-of-exploitation status.