Strix
26.1K

CVE-2019-6588

UnknownEPSS 2.28%

Last modified

CVE-2019-6588 is a vulnerability of currently unknown severity. In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.. EPSS estimates a 2.28% chance of exploitation in the next 30 days.

Description

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

Metrics

EPSS Probability
2.28%

80.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
LiferayLiferay Portal<= 6.0.6
LiferayLiferay Portal6.1.0B1
LiferayLiferay Portal6.1.1Ga2
LiferayLiferay Portal6.1.2Ga3
LiferayLiferay Portal6.2.0B1
LiferayLiferay Portal6.2.1Ga2
LiferayLiferay Portal6.2.2Ga3
LiferayLiferay Portal6.2.3Ga4
LiferayLiferay Portal6.2.4Ga5
LiferayLiferay Portal6.2.5Ga6
LiferayLiferay Portal7.0.0A1
LiferayLiferay Portal7.0.1Ga2
LiferayLiferay Portal7.0.2Ga3
LiferayLiferay Portal7.0.3Ga4
LiferayLiferay Portal7.0.4Ga5
LiferayLiferay Portal7.0.5Ga6
LiferayLiferay Portal7.0.6Ga7
LiferayLiferay Portal7.1.0A1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-6588?
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
How severe is CVE-2019-6588?
Severity scoring for CVE-2019-6588 is pending analysis. The EPSS model estimates a 2.28% probability of exploitation in the next 30 days.
How do I fix CVE-2019-6588?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-6588?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST