Description

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call or . Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

Remediation

References

http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html

https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3

Related Vulnerabilities

CVE-2020-15842 Vulnerability in maven package com.liferay:com.liferay.portal.template.freemarker

CVE-2020-13932 Vulnerability in maven package org.apache.activemq:artemis-plugin

CVE-2023-29511 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

CVE-2016-8741 Vulnerability in maven package org.apache.qpid:qpid-broker-core

CVE-2016-9299 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory