CVE-2019-6588 Information
Description
In Liferay Portal before 7.1 CE GA4 an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the \url\ parameter of the JSP taglib call liferay-ui:captcha url== url \ / or liferay-captcha:captcha url== url \ /. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Reference
http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html
https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3
In
Liferay
Portal
before
7.1
CE
GA4
an
XSS
vulnerability
exists
in
the
SimpleCaptcha
API
when
custom
code
passes
unsanitized
input
into
the
\url
parameter
of
the
JSP
taglib
call
liferay-ui:captcha
url==
url
/
or
liferay-captcha:captcha
url==
url
/.
Liferay
Portal
out-of-the-box
behavior
with
no
customizations
is
not
vulnerable.
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
4.7
Share on: