#VU35859 Cross-site scripting in Liferay Enterprise Portal - CVE-2019-6588
Published: June 3, 2019 / Updated: June 17, 2021
Vulnerability identifier: #VU35859
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
CVE-ID: CVE-2019-6588
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Liferay Enterprise Portal
Liferay Enterprise Portal
Software vendor:
Liferay
Liferay
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
Remediation
Install update from vendor's website.