fkie_cve-2019-6588
Vulnerability from fkie_nvd
Published
2019-06-03 20:29
Modified
2024-11-21 04:46
Severity ?
Summary
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*",
"matchCriteriaId": "FA36613B-2934-4328-8D79-DA2E4DCAA21C",
"versionEndIncluding": "6.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "5FFE793D-A9F8-478A-A05C-8ADD376741E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "6BA0C52D-BBB8-4A86-A96D-4BDCD29FB758",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "4FE5AB24-2D11-410B-ADF5-44B67CA98832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:b4:*:*:community:*:*:*",
"matchCriteriaId": "5B726B37-50BC-47A8-8FDF-7A66E855014F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "BB738110-EB09-42DE-98DA-12BE32DE57C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "1FB09531-2DD2-475C-BD22-E97901F56B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "DAFF5639-E14B-4DDF-9B3E-AB1C410A8F20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.1.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "C0683FB5-212D-4FD7-A4B1-8900D909086E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "472FA08E-1641-4D12-86D2-C4615B722310",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "001AF786-5DD2-4797-8740-31060A6A03A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "9CA31B62-A9E2-478D-8CCA-F1923875CB9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "87572B01-6964-497B-A77D-269E020FA4F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "9D4C3B3F-6125-455D-8A43-4E55334D8951",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m3:*:*:community:*:*:*",
"matchCriteriaId": "30204763-F5B5-4FD8-814C-FE699C05E8C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m4:*:*:community:*:*:*",
"matchCriteriaId": "D071ABF1-38D7-4381-9B8E-0A08C7DC66C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m5:*:*:community:*:*:*",
"matchCriteriaId": "11DB0072-E95D-4A3F-A7EE-24FE395DA95F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:m6:*:*:community:*:*:*",
"matchCriteriaId": "A8D0B139-7982-4F35-A35E-CDE00D949DFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "61E60075-59B8-4555-893A-5C2A89D5F2DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc2:*:*:community:*:*:*",
"matchCriteriaId": "F692C4AF-6568-43D9-8EA8-AE6EFDFD76EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc3:*:*:community:*:*:*",
"matchCriteriaId": "7AC9FB0B-A24F-48FE-8DE7-9DF470064C9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc4:*:*:community:*:*:*",
"matchCriteriaId": "2DE10E9E-5A7F-4241-88E4-796E91260F00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc5:*:*:community:*:*:*",
"matchCriteriaId": "51EC8CDD-419B-4858-8FFB-91D0EF4496C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.0:rc6:*:*:community:*:*:*",
"matchCriteriaId": "0279FC7D-BF39-4CF6-BB80-2EE532D450E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "7DA37F01-82C9-4BF1-A349-861561AA3712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "CC404755-D472-4A0D-8922-4E1957A04E40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.3:ga4:*:*:community:*:*:*",
"matchCriteriaId": "F9C0B6C3-0C26-4311-B472-4E3713A19152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.4:ga5:*:*:community:*:*:*",
"matchCriteriaId": "E0F66C7B-9882-4E12-8D79-6BB5422B5946",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:6.2.5:ga6:*:*:community:*:*:*",
"matchCriteriaId": "AF1DBF1D-2344-4CDA-85EE-02A8F0B6F33D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a1:*:*:community:*:*:*",
"matchCriteriaId": "3FC682CE-28EF-440C-9E9F-2A69423E1935",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a2:*:*:community:*:*:*",
"matchCriteriaId": "B6B01EB4-F999-4F32-8BF1-9B763E0F05B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a3:*:*:community:*:*:*",
"matchCriteriaId": "D7FC066D-FDB1-4645-AC44-4256B2B41279",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a4:*:*:community:*:*:*",
"matchCriteriaId": "96082BE8-24A1-401A-9965-B8C8C606184C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:a5:*:*:community:*:*:*",
"matchCriteriaId": "CD5DC3C4-69C1-4346-8F65-90F08AAA90D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "EFDAD1AF-EC2F-4894-BA92-97A4B9E9ED1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "F243A741-E860-4EA5-ADB0-9AA0AAABF93D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "33CEF26A-3217-451C-9A27-B23B9C967B05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b4:*:*:community:*:*:*",
"matchCriteriaId": "E472E8E9-1AAB-4845-9F11-1B3C570EA73E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b5:*:*:community:*:*:*",
"matchCriteriaId": "27F6273D-20A8-401A-9499-490F5642BE4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b6:*:*:community:*:*:*",
"matchCriteriaId": "2B5C7F9F-B8FB-4A7A-A433-E1C156A9A5F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:b7:*:*:community:*:*:*",
"matchCriteriaId": "B8549860-D2DE-49A3-B1A9-4D254E83BDDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "3AA76510-6152-4F51-ACCC-8D6955EEDE18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "9F482A5E-B8A8-4F31-BF34-3C4105BADA34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "104A6584-6D9B-42F7-BFDA-A2BE9D900B2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m3:*:*:community:*:*:*",
"matchCriteriaId": "4D781468-2FDA-47C7-B1CA-9845B20D5E1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m4:*:*:community:*:*:*",
"matchCriteriaId": "FA0F71E9-F6FE-4EEB-AF76-5EBB60D71067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m5:*:*:community:*:*:*",
"matchCriteriaId": "F3E37093-DE34-4002-8B89-942DD7F26F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m6:*:*:community:*:*:*",
"matchCriteriaId": "8A5B9B28-A6FC-4FB7-9071-B54AE4AB5EA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.0:m7:*:*:community:*:*:*",
"matchCriteriaId": "3F92523D-3292-4E44-BB97-B97AE347CE15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.1:ga2:*:*:community:*:*:*",
"matchCriteriaId": "EEF7EDFF-BFC0-4006-9500-87BB76747146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.2:ga3:*:*:community:*:*:*",
"matchCriteriaId": "7EA79695-F8E9-4742-BF75-0C36B9D6233F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.3:ga4:*:*:community:*:*:*",
"matchCriteriaId": "9276ACC2-F339-4DF0-99B7-2897C6538F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.4:ga5:*:*:community:*:*:*",
"matchCriteriaId": "E60E9992-7FB6-4963-BAB3-F1A124395E62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.5:ga6:*:*:community:*:*:*",
"matchCriteriaId": "ABD5E21F-1D23-48E0-9541-4D222703C634",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.0.6:ga7:*:*:community:*:*:*",
"matchCriteriaId": "1C54E49F-0886-4511-B205-98A982137DEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:a1:*:*:community:*:*:*",
"matchCriteriaId": "D4DCCFCE-E56D-495D-B9C1-98FB7C96421D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:a2:*:*:community:*:*:*",
"matchCriteriaId": "BBD777AB-DC4B-4860-A203-10FDA026CC4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b1:*:*:community:*:*:*",
"matchCriteriaId": "9C28A2C0-C7B8-4250-A0DC-AAA9D597EDD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b2:*:*:community:*:*:*",
"matchCriteriaId": "EF37F090-D1A1-476A-8477-2AF84977FED4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:b3:*:*:community:*:*:*",
"matchCriteriaId": "E1A2043B-429C-4613-B155-E0DDBE385E12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:ga1:*:*:community:*:*:*",
"matchCriteriaId": "5041C958-4211-41BE-9644-8A543ABD7BC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:m1:*:*:community:*:*:*",
"matchCriteriaId": "9085829A-0DFC-4E68-B2A2-88CC33773C84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:m2:*:*:community:*:*:*",
"matchCriteriaId": "51EA228E-4463-4878-B4FB-B7443220E4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:7.1.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "A2CB2283-D0E1-405B-B3AB-685DD548575E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the \"url\" parameter of the JSP taglib call \u003cliferay-ui:captcha url=\"\u003c%= url %\u003e\" /\u003e or \u003cliferay-captcha:captcha url=\"\u003c%= url %\u003e\" /\u003e. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable."
},
{
"lang": "es",
"value": "En el Portal Liferay anterior a 7.1 CE GA4, existe una vulnerabilidad de XSS en la API SimpleCaptcha cuando el c\u00f3digo personalizado pasa una entrada sin autorizaci\u00f3n al par\u00e1metro \"url\" de la etiqueta de la etiqueta JSP o . El comportamiento de Liferay Portal fuera de la caja sin personalizaciones no es vulnerable."
}
],
"id": "CVE-2019-6588",
"lastModified": "2024-11-21T04:46:45.383",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-03T20:29:01.547",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…