Base Score

MEDIUM4.7

CVE-2019-6588

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

VectorNETWORK

Published Bycve@mitre.org

Published DateJun 03, 2019, 20:29

Affected Versions(1)

com.liferay.portal:release.portal.bom(Maven)

Introduced0

Fixed7.1.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
com.liferay.portal:release.portal.bom(Maven)	0	7.1.0	N/A

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

4.7

Vector String

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

MEDIUM4.7

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

4.7

Vector String

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE