GHSA-hwp2-gvm5-452f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hwp2-gvm5-452f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hwp2-gvm5-452f/GHSA-hwp2-gvm5-452f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hwp2-gvm5-452f
- Aliases
- Published
- 2022-05-24T16:47:03Z
- Modified
- 2025-04-28T20:27:14.309967Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Liferay Portal Allows Cross-Site Scripting (XSS) via the SimpleCaptcha API
- Details
-
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
- Database specific
{ "nvd_published_at": "2019-06-03T20:29:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-04-28T19:30:32Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-6588
- https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3
- https://github.com/liferay/liferay-portal
- http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html
Affected packages
Maven / com.liferay.portal:release.portal.bom
Package
- Name
- com.liferay.portal:release.portal.bom
- View open source insights on deps.dev
- Purl
- pkg:maven/com.liferay.portal/release.portal.bom