PRIOn knowledge basePRION:CVE-2019-6588

HistoryJun 03, 2019 - 8:29 p.m.

Cross site scripting

2019-06-0320:29:00

PRIOn knowledge base

www.prio-n.com

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.9%

JSON

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=“<%= url %>” /> or <liferay-captcha:captcha url=“<%= url %>” />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

CPENameOperatorVersion
liferay_portaleq7.1.0 a1
liferay_portaleq7.1.0 a2
liferay_portaleq7.1.0 b1
liferay_portaleq7.1.0 b2
liferay_portaleq7.1.0 b3
liferay_portaleq7.1.0 ga1
liferay_portaleq7.1.0 m1
liferay_portaleq7.1.0 m2
liferay_portaleq7.1.0 rc1
liferay_portaleq7.0.6 ga7

Name	Operator	Version
liferay_portal	eq	7.1.0 a1
liferay_portal	eq	7.1.0 a2
liferay_portal	eq	7.1.0 b1
liferay_portal	eq	7.1.0 b2
liferay_portal	eq	7.1.0 b3
liferay_portal	eq	7.1.0 ga1
liferay_portal	eq	7.1.0 m1
liferay_portal	eq	7.1.0 m2
liferay_portal	eq	7.1.0 rc1
liferay_portal	eq	7.0.6 ga7

Rows per page:

1-10 of 641

References

packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html

dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3