portal-service is vulnerable to cross-site scripting (XSS). The library does not sanitize the URL parameter in simplecaptcha.jsp
, allowing an attacker to inject arbitrary script via the affected parameter.
packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html
dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3
github.com/liferay/liferay-portal/commit/342a69b014d94c5b7ed2a4bfc1f6a0f723dba475
packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html
www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/