CVE-2019-6588

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.1.0:b1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.1.0:b2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.1.0:b3:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.1.0:b4:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.1.0:ga1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.1.0:rc1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.1.1:ga2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.1.2:ga3:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:b1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:b2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:ga1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:m1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:m2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:m3:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:m4:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:m5:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:m6:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc3:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc4:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc5:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.0:rc6:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.1:ga2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.2:ga3:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.3:ga4:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.4:ga5:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:6.2.5:ga6:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:a1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:a2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:a3:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:a4:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:a5:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:b1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:b2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:b3:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:b4:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:b5:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:b6:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:b7:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:ga1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:m1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:m2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:m3:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:m4:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:m5:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:m6:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.0:m7:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.1:ga2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.2:ga3:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.3:ga4:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.4:ga5:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.5:ga6:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.6:ga7:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.1.0:a1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.1.0:a2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.1.0:b1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.1.0:b2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.1.0:b3:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.1.0:ga1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.1.0:m1:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.1.0:m2:*:*:community:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.1.0:rc1:*:*:community:*:*:*

History

21 Nov 2024, 04:46

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html - () http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html -
References () https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3 - Vendor Advisory () https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3 - Vendor Advisory

Information

Published : 2019-06-03 20:29

Updated : 2024-11-21 04:46


NVD link : CVE-2019-6588

Mitre link : CVE-2019-6588

CVE.ORG link : CVE-2019-6588


JSON object : View

Products Affected

liferay

  • liferay_portal
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')