FKIE_CVE-2019-6588
Vulnerability from fkie_nvd - Published: 2019-06-03 20:29 - Updated: 2024-11-21 04:46
Severity ?
Summary
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "FA36613B-2934-4328-8D79-DA2E4DCAA21C",
"versionEndIncluding": "6.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "5FFE793D-A9F8-478A-A05C-8ADD376741E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "6BA0C52D-BBB8-4A86-A96D-4BDCD29FB758",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "4FE5AB24-2D11-410B-ADF5-44B67CA98832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b4:*:*:community:*:*:*",
"matchCriteriaId": "5B726B37-50BC-47A8-8FDF-7A66E855014F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "BB738110-EB09-42DE-98DA-12BE32DE57C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "1FB09531-2DD2-475C-BD22-E97901F56B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "DAFF5639-E14B-4DDF-9B3E-AB1C410A8F20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "C0683FB5-212D-4FD7-A4B1-8900D909086E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "472FA08E-1641-4D12-86D2-C4615B722310",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "001AF786-5DD2-4797-8740-31060A6A03A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "9CA31B62-A9E2-478D-8CCA-F1923875CB9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "87572B01-6964-497B-A77D-269E020FA4F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "9D4C3B3F-6125-455D-8A43-4E55334D8951",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m3:*:*:community:*:*:*",
"matchCriteriaId": "30204763-F5B5-4FD8-814C-FE699C05E8C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m4:*:*:community:*:*:*",
"matchCriteriaId": "D071ABF1-38D7-4381-9B8E-0A08C7DC66C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m5:*:*:community:*:*:*",
"matchCriteriaId": "11DB0072-E95D-4A3F-A7EE-24FE395DA95F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m6:*:*:community:*:*:*",
"matchCriteriaId": "A8D0B139-7982-4F35-A35E-CDE00D949DFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "61E60075-59B8-4555-893A-5C2A89D5F2DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc2:*:*:community:*:*:*",
"matchCriteriaId": "F692C4AF-6568-43D9-8EA8-AE6EFDFD76EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc3:*:*:community:*:*:*",
"matchCriteriaId": "7AC9FB0B-A24F-48FE-8DE7-9DF470064C9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc4:*:*:community:*:*:*",
"matchCriteriaId": "2DE10E9E-5A7F-4241-88E4-796E91260F00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc5:*:*:community:*:*:*",
"matchCriteriaId": "51EC8CDD-419B-4858-8FFB-91D0EF4496C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc6:*:*:community:*:*:*",
"matchCriteriaId": "0279FC7D-BF39-4CF6-BB80-2EE532D450E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "7DA37F01-82C9-4BF1-A349-861561AA3712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "CC404755-D472-4A0D-8922-4E1957A04E40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.3:ga4:*:*:community:*:*:*",
"matchCriteriaId": "F9C0B6C3-0C26-4311-B472-4E3713A19152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.4:ga5:*:*:community:*:*:*",
"matchCriteriaId": "E0F66C7B-9882-4E12-8D79-6BB5422B5946",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.5:ga6:*:*:community:*:*:*",
"matchCriteriaId": "AF1DBF1D-2344-4CDA-85EE-02A8F0B6F33D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a1:*:*:community:*:*:*",
"matchCriteriaId": "3FC682CE-28EF-440C-9E9F-2A69423E1935",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a2:*:*:community:*:*:*",
"matchCriteriaId": "B6B01EB4-F999-4F32-8BF1-9B763E0F05B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a3:*:*:community:*:*:*",
"matchCriteriaId": "D7FC066D-FDB1-4645-AC44-4256B2B41279",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a4:*:*:community:*:*:*",
"matchCriteriaId": "96082BE8-24A1-401A-9965-B8C8C606184C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a5:*:*:community:*:*:*",
"matchCriteriaId": "CD5DC3C4-69C1-4346-8F65-90F08AAA90D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "EFDAD1AF-EC2F-4894-BA92-97A4B9E9ED1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "F243A741-E860-4EA5-ADB0-9AA0AAABF93D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "33CEF26A-3217-451C-9A27-B23B9C967B05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b4:*:*:community:*:*:*",
"matchCriteriaId": "E472E8E9-1AAB-4845-9F11-1B3C570EA73E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b5:*:*:community:*:*:*",
"matchCriteriaId": "27F6273D-20A8-401A-9499-490F5642BE4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b6:*:*:community:*:*:*",
"matchCriteriaId": "2B5C7F9F-B8FB-4A7A-A433-E1C156A9A5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b7:*:*:community:*:*:*",
"matchCriteriaId": "B8549860-D2DE-49A3-B1A9-4D254E83BDDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "3AA76510-6152-4F51-ACCC-8D6955EEDE18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "9F482A5E-B8A8-4F31-BF34-3C4105BADA34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "104A6584-6D9B-42F7-BFDA-A2BE9D900B2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m3:*:*:community:*:*:*",
"matchCriteriaId": "4D781468-2FDA-47C7-B1CA-9845B20D5E1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m4:*:*:community:*:*:*",
"matchCriteriaId": "FA0F71E9-F6FE-4EEB-AF76-5EBB60D71067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m5:*:*:community:*:*:*",
"matchCriteriaId": "F3E37093-DE34-4002-8B89-942DD7F26F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m6:*:*:community:*:*:*",
"matchCriteriaId": "8A5B9B28-A6FC-4FB7-9071-B54AE4AB5EA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m7:*:*:community:*:*:*",
"matchCriteriaId": "3F92523D-3292-4E44-BB97-B97AE347CE15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "EEF7EDFF-BFC0-4006-9500-87BB76747146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "7EA79695-F8E9-4742-BF75-0C36B9D6233F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.3:ga4:*:*:community:*:*:*",
"matchCriteriaId": "9276ACC2-F339-4DF0-99B7-2897C6538F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.4:ga5:*:*:community:*:*:*",
"matchCriteriaId": "E60E9992-7FB6-4963-BAB3-F1A124395E62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.5:ga6:*:*:community:*:*:*",
"matchCriteriaId": "ABD5E21F-1D23-48E0-9541-4D222703C634",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.6:ga7:*:*:community:*:*:*",
"matchCriteriaId": "1C54E49F-0886-4511-B205-98A982137DEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:a1:*:*:community:*:*:*",
"matchCriteriaId": "D4DCCFCE-E56D-495D-B9C1-98FB7C96421D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:a2:*:*:community:*:*:*",
"matchCriteriaId": "BBD777AB-DC4B-4860-A203-10FDA026CC4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "9C28A2C0-C7B8-4250-A0DC-AAA9D597EDD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "EF37F090-D1A1-476A-8477-2AF84977FED4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "E1A2043B-429C-4613-B155-E0DDBE385E12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "5041C958-4211-41BE-9644-8A543ABD7BC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "9085829A-0DFC-4E68-B2A2-88CC33773C84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "51EA228E-4463-4878-B4FB-B7443220E4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "A2CB2283-D0E1-405B-B3AB-685DD548575E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the \"url\" parameter of the JSP taglib call \u003cliferay-ui:captcha url=\"\u003c%= url %\u003e\" /\u003e or \u003cliferay-captcha:captcha url=\"\u003c%= url %\u003e\" /\u003e. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable."
},
{
"lang": "es",
"value": "En el Portal Liferay anterior a 7.1 CE GA4, existe una vulnerabilidad de XSS en la API SimpleCaptcha cuando el c\u00f3digo personalizado pasa una entrada sin autorizaci\u00f3n al par\u00e1metro \"url\" de la etiqueta de la etiqueta JSP o . El comportamiento de Liferay Portal fuera de la caja sin personalizaciones no es vulnerable."
}
],
"id": "CVE-2019-6588",
"lastModified": "2024-11-21T04:46:45.383",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-03T20:29:01.547",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…