Description

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call or . Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

Remediation

References

http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html

https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3

Related Vulnerabilities

CVE-2022-1415 Vulnerability in maven package org.drools:drools-core

CVE-2021-41183 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery-ui

CVE-2014-3667 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2020-2119 Vulnerability in maven package org.jenkins-ci.plugins:azure-ad

CVE-2022-31781 Vulnerability in maven package org.apache.tapestry:tapestry-core

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory