Description

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call or . Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

Remediation

References

http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html

https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3

Related Vulnerabilities

CVE-2019-10348 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook

CVE-2017-1000006 Vulnerability in maven package org.webjars.bower:plotly.js

CVE-2021-39235 Vulnerability in maven package org.apache.ozone:ozone-main

CVE-2019-10212 Vulnerability in maven package io.undertow:undertow-core

CVE-2022-34814 Vulnerability in maven package org.jenkins-ci.plugins:rrod

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory