In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
References
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2019-06-03 20:29
Updated : 2024-02-28 17:08
NVD link : CVE-2019-6588
Mitre link : CVE-2019-6588
CVE.ORG link : CVE-2019-6588
JSON object : View
Products Affected
liferay
- liferay_portal
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')