CVE-2019-6588: Liferay Portal Allows Cross-Site Scripting (XSS) via the SimpleCaptcha API

May 24, 2022 (updated April 28, 2025)

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the “url” parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.

References

dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3
github.com/advisories/GHSA-hwp2-gvm5-452f
github.com/liferay/liferay-portal
nvd.nist.gov/vuln/detail/CVE-2019-6588

Code Behaviors & Features

Detect and mitigate CVE-2019-6588 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →