Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-6588 — Cross-site Scripting in Portal

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.7MEDIUMNVD

EPSS

0.7%

top 28.16%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Liferay Portal

Timeline

PublishedJun 3

Latest updateMay 24

Description

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call " /> or " />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.7

Affected Packages1 packages

▶NVDliferay/liferay_portal6.0.6+17

🔴Vulnerability Details

GHSA

Liferay Portal Allows Cross-Site Scripting (XSS) via the SimpleCaptcha API↗2022-05-24

▶

OSV

Liferay Portal Allows Cross-Site Scripting (XSS) via the SimpleCaptcha API↗2022-05-24

▶

CVEList

CVE-2019-6588: In Liferay Portal before 7↗2019-06-03

▶

💥Exploits & PoCs

Exploit-DB

Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting↗2019-06-11

▶