Description

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call or . Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

Remediation

References

http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html

https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3

Related Vulnerabilities

CVE-2017-5643 Vulnerability in maven package org.apache.camel:camel-core

CVE-2022-24280 Vulnerability in maven package org.apache.pulsar:pulsar-proxy

CVE-2023-50730 Vulnerability in maven package edu.gemini:gsp-graphql-core_2.13

CVE-2016-3092 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2018-20677 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory