Cross-site scripting in Liferay Enterprise Portal - CVE-2019-6588
Published: June 3, 2019 / Updated: June 17, 2021
Vulnerability identifier: #VU35859
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
CVE-ID: CVE-2019-6588
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Liferay
Affected software:
Liferay Enterprise Portal
Liferay Enterprise Portal
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
How to mitigate CVE-2019-6588
Install update from vendor's website.