Lucene search

[email protected]NVD:CVE-2019-6588

HistoryJun 03, 2019 - 8:29 p.m.

CVE-2019-6588

2019-06-0320:29:01

CWE-79

[email protected]

web.nvd.nist.gov

2.6 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

4.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.9%

JSON

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=“<%= url %>” /> or <liferay-captcha:captcha url=“<%= url %>” />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

Affected configurations

NVD

Node

liferayliferay_portalRange≤6.0.6community

liferayliferay_portalMatch6.1.0b1community

liferayliferay_portalMatch6.1.0b2community

liferayliferay_portalMatch6.1.0b3community

liferayliferay_portalMatch6.1.0b4community

liferayliferay_portalMatch6.1.0ga1community

liferayliferay_portalMatch6.1.0rc1community

liferayliferay_portalMatch6.1.1ga2community

liferayliferay_portalMatch6.1.2ga3community

liferayliferay_portalMatch6.2.0b1community

liferayliferay_portalMatch6.2.0b2community

liferayliferay_portalMatch6.2.0ga1community

liferayliferay_portalMatch6.2.0m1community

liferayliferay_portalMatch6.2.0m2community

liferayliferay_portalMatch6.2.0m3community

liferayliferay_portalMatch6.2.0m4community

liferayliferay_portalMatch6.2.0m5community

liferayliferay_portalMatch6.2.0m6community

liferayliferay_portalMatch6.2.0rc1community

liferayliferay_portalMatch6.2.0rc2community

liferayliferay_portalMatch6.2.0rc3community

liferayliferay_portalMatch6.2.0rc4community

liferayliferay_portalMatch6.2.0rc5community

liferayliferay_portalMatch6.2.0rc6community

liferayliferay_portalMatch6.2.1ga2community

liferayliferay_portalMatch6.2.2ga3community

liferayliferay_portalMatch6.2.3ga4community

liferayliferay_portalMatch6.2.4ga5community

liferayliferay_portalMatch6.2.5ga6community

liferayliferay_portalMatch7.0.0a1community

liferayliferay_portalMatch7.0.0a2community

liferayliferay_portalMatch7.0.0a3community

liferayliferay_portalMatch7.0.0a4community

liferayliferay_portalMatch7.0.0a5community

liferayliferay_portalMatch7.0.0b1community

liferayliferay_portalMatch7.0.0b2community

liferayliferay_portalMatch7.0.0b3community

liferayliferay_portalMatch7.0.0b4community

liferayliferay_portalMatch7.0.0b5community

liferayliferay_portalMatch7.0.0b6community

liferayliferay_portalMatch7.0.0b7community

liferayliferay_portalMatch7.0.0ga1community

liferayliferay_portalMatch7.0.0m1community

liferayliferay_portalMatch7.0.0m2community

liferayliferay_portalMatch7.0.0m3community

liferayliferay_portalMatch7.0.0m4community

liferayliferay_portalMatch7.0.0m5community

liferayliferay_portalMatch7.0.0m6community

liferayliferay_portalMatch7.0.0m7community

liferayliferay_portalMatch7.0.1ga2community

liferayliferay_portalMatch7.0.2ga3community

liferayliferay_portalMatch7.0.3ga4community

liferayliferay_portalMatch7.0.4ga5community

liferayliferay_portalMatch7.0.5ga6community

liferayliferay_portalMatch7.0.6ga7community

liferayliferay_portalMatch7.1.0a1community

liferayliferay_portalMatch7.1.0a2community

liferayliferay_portalMatch7.1.0b1community

liferayliferay_portalMatch7.1.0b2community

liferayliferay_portalMatch7.1.0b3community

liferayliferay_portalMatch7.1.0ga1community

liferayliferay_portalMatch7.1.0m1community

liferayliferay_portalMatch7.1.0m2community

liferayliferay_portalMatch7.1.0rc1community

References

packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html

dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3