CVE-2019-6588 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=0 <7.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00691 pctl0.70905

Details

Liferay Portal Allows Cross-Site Scripting (XSS) via the SimpleCaptcha API In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

Metadata

Created: 2022-05-24T16:47:03Z
Modified: 2025-04-28T19:30:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hwp2-gvm5-452f/GHSA-hwp2-gvm5-452f.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-hwp2-gvm5-452f
Finding: F425
Auto approve: 1