{"id":"CVE-2019-6588","details":"In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the \"url\" parameter of the JSP taglib call \u003cliferay-ui:captcha url=\"\u003c%= url %\u003e\" /\u003e or \u003cliferay-captcha:captcha url=\"\u003c%= url %\u003e\" /\u003e. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.","aliases":["GHSA-hwp2-gvm5-452f"],"modified":"2026-04-10T04:19:49.897260Z","published":"2019-06-03T20:29:01.547Z","references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/153252/Liferay-Portal-7.1-CE-GA4-Cross-Site-Scripting.html"},{"type":"ADVISORY","url":"https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/liferay/liferay-portal","events":[{"introduced":"0"},{"last_affected":"73c2fa07b6d1ce2d0b52d290fda7c859ed3ec5d9"},{"introduced":"0"},{"last_affected":"4f5603382bdec76b2342fa4fbc2088fde55a6701"},{"introduced":"0"},{"last_affected":"037e5369e4770a9ca7ee4e39f0dbb2eb2862532a"},{"introduced":"0"},{"last_affected":"2ced8fc435f38494ae939edcb6bf0872006d289e"},{"introduced":"0"},{"last_affected":"73c2fa07b6d1ce2d0b52d290fda7c859ed3ec5d9"},{"introduced":"0"},{"last_affected":"c41fe6f9251c732abbbaff0833093997f45fe771"},{"introduced":"0"},{"last_affected":"fe708510b1566583870a6be892d86f1761a1e64b"},{"introduced":"0"},{"last_affected":"a3636a9d8cf1db7d6d4c37dfb66b5696826e6181"},{"introduced":"0"},{"last_affected":"102d1733262a50f3b38b0ac345cf4edcec0c0147"},{"introduced":"0"},{"last_affected":"88c0f2887b0b043996debaa2ac89cfbb58bf34d4"},{"introduced":"0"},{"last_affected":"102d1733262a50f3b38b0ac345cf4edcec0c0147"},{"introduced":"0"},{"last_affected":"102d1733262a50f3b38b0ac345cf4edcec0c0147"},{"introduced":"0"},{"last_affected":"88c0f2887b0b043996debaa2ac89cfbb58bf34d4"},{"introduced":"0"},{"last_affected":"5e70cf5d85b7b8d134231a5a849f7c14ec999c37"},{"introduced":"0"},{"last_affected":"b3d91bbdf96c0b496a9e9d413c853fd4ec4dd398"},{"introduced":"0"},{"last_affected":"88ce66386e7523b9a6a13f4452671bda5ebf3c00"},{"introduced":"0"},{"last_affected":"2fe263fd4a97be4062f8f610faaf951b59ba9812"},{"introduced":"0"},{"last_affected":"b763e6b461b351df22d19cfeef6cc6e87dc063a2"},{"introduced":"0"},{"last_affected":"1a0613d1058c2026fcd0a95f42e7ee691cb5152a"},{"introduced":"0"},{"last_affected":"a4975bcab9dbeed99486741ab9bfb11af986603f"},{"introduced":"0"},{"last_affected":"dd0055a1dbc65732bc0b4e3fb8142ef31e247ff8"},{"introduced":"0"},{"last_affected":"81f35b7112af4ab38e8fe2e0e44f8c9cea5d6927"},{"introduced":"0"},{"last_affected":"a70f328d72613022e94f40f963a8b65d6a84b365"},{"introduced":"0"},{"last_affected":"93e22c329f89bfa8056fd1038700c8cc0852ad77"},{"introduced":"0"},{"last_affected":"dd5ac7f5cf0102e1d230c5840a29f473cdbeb2e3"},{"introduced":"0"},{"last_affected":"20502a3ea3a6498a038b27530f3f35f3a511ec75"},{"introduced":"0"},{"last_affected":"cb6351aff7ad2cb5dcf4c30e7583079770757425"},{"introduced":"0"},{"last_affected":"65d7a800f1a57b232a127bdcaefb876a9de469f9"},{"introduced":"0"},{"last_affected":"b0b9e85245327a06dbceac9407cdff2465b757a6"},{"introduced":"0"},{"last_affected":"586bf2c21b0bd775aedc0789c37d6111da043d76"},{"introduced":"0"},{"last_affected":"712e525580fa83d989cb748dbab27dc7a5d94ccd"},{"introduced":"0"},{"last_affected":"7ea9043aa7383d4f2d1656135b535f3276608988"},{"introduced":"0"},{"last_affected":"0ea0614a95bd1c31945a9a096e22f40cdf29700c"},{"introduced":"0"},{"last_affected":"b0b9e85245327a06dbceac9407cdff2465b757a6"},{"introduced":"0"},{"last_affected":"586bf2c21b0bd775aedc0789c37d6111da043d76"},{"introduced":"0"},{"last_affected":"712e525580fa83d989cb748dbab27dc7a5d94ccd"},{"introduced":"0"},{"last_affected":"7ea9043aa7383d4f2d1656135b535f3276608988"},{"introduced":"0"},{"last_affected":"0ea0614a95bd1c31945a9a096e22f40cdf29700c"},{"introduced":"0"},{"last_affected":"c98c005f2a37c49feaaa7c96e052edd85da60dbe"},{"introduced":"0"},{"last_affected":"d23485b8092ee466ef4550d694bfd85a49c20285"},{"introduced":"0"},{"last_affected":"b0b9e85245327a06dbceac9407cdff2465b757a6"},{"introduced":"0"},{"last_affected":"b0b9e85245327a06dbceac9407cdff2465b757a6"},{"introduced":"0"},{"last_affected":"586bf2c21b0bd775aedc0789c37d6111da043d76"},{"introduced":"0"},{"last_affected":"712e525580fa83d989cb748dbab27dc7a5d94ccd"},{"introduced":"0"},{"last_affected":"7ea9043aa7383d4f2d1656135b535f3276608988"},{"introduced":"0"},{"last_affected":"0ea0614a95bd1c31945a9a096e22f40cdf29700c"},{"introduced":"0"},{"last_affected":"c98c005f2a37c49feaaa7c96e052edd85da60dbe"},{"introduced":"0"},{"last_affected":"d23485b8092ee466ef4550d694bfd85a49c20285"},{"introduced":"0"},{"last_affected":"16d03be248641f92824e33f48a0ff952dfe59703"},{"introduced":"0"},{"last_affected":"475b9805d040f0ce2a046955bd68bf16fe1c2f0e"},{"introduced":"0"},{"last_affected":"b2d7cc68a80f974282a379aa700e22387c70c50a"},{"introduced":"0"},{"last_affected":"07af97431ed9c9ce34dfd814fc14adfc5911450d"},{"introduced":"0"},{"last_affected":"1315ff6875135daf5f41378e56cdd6def2ac7e14"},{"introduced":"0"},{"last_affected":"e1ac3de357b51e64ba77c121e5f65fe5b6f297f8"},{"introduced":"0"},{"last_affected":"d67b55c18ccb3d6e9d142f8148032d0d130fe9cb"},{"introduced":"0"},{"last_affected":"5d9fb631f3719c9f3e5002e50fb40951aaf43cc9"},{"introduced":"0"},{"last_affected":"d67b55c18ccb3d6e9d142f8148032d0d130fe9cb"},{"introduced":"0"},{"last_affected":"5d9fb631f3719c9f3e5002e50fb40951aaf43cc9"},{"introduced":"0"},{"last_affected":"aa2c022f6b63addd28bff66a2d8fdf0c1a5a268e"},{"introduced":"0"},{"last_affected":"d67b55c18ccb3d6e9d142f8148032d0d130fe9cb"},{"introduced":"0"},{"last_affected":"d67b55c18ccb3d6e9d142f8148032d0d130fe9cb"},{"introduced":"0"},{"last_affected":"5d9fb631f3719c9f3e5002e50fb40951aaf43cc9"},{"introduced":"0"},{"last_affected":"439f94cc22eea87c56abb3405b6f8e3ba705dacb"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.1.0-b1"},{"introduced":"0"},{"last_affected":"6.1.0-b2"},{"introduced":"0"},{"last_affected":"6.1.0-b3"},{"introduced":"0"},{"last_affected":"6.1.0-b4"},{"introduced":"0"},{"last_affected":"6.1.0-ga1"},{"introduced":"0"},{"last_affected":"6.1.0-rc1"},{"introduced":"0"},{"last_affected":"6.1.1-ga2"},{"introduced":"0"},{"last_affected":"6.1.2-ga3"},{"introduced":"0"},{"last_affected":"6.2.0-b1"},{"introduced":"0"},{"last_affected":"6.2.0-b2"},{"introduced":"0"},{"last_affected":"6.2.0-ga1"},{"introduced":"0"},{"last_affected":"6.2.0-m1"},{"introduced":"0"},{"last_affected":"6.2.0-m2"},{"introduced":"0"},{"last_affected":"6.2.0-m3"},{"introduced":"0"},{"last_affected":"6.2.0-m4"},{"introduced":"0"},{"last_affected":"6.2.0-m5"},{"introduced":"0"},{"last_affected":"6.2.0-m6"},{"introduced":"0"},{"last_affected":"6.2.0-rc1"},{"introduced":"0"},{"last_affected":"6.2.0-rc2"},{"introduced":"0"},{"last_affected":"6.2.0-rc3"},{"introduced":"0"},{"last_affected":"6.2.0-rc4"},{"introduced":"0"},{"last_affected":"6.2.0-rc5"},{"introduced":"0"},{"last_affected":"6.2.0-rc6"},{"introduced":"0"},{"last_affected":"6.2.1-ga2"},{"introduced":"0"},{"last_affected":"6.2.2-ga3"},{"introduced":"0"},{"last_affected":"6.2.3-ga4"},{"introduced":"0"},{"last_affected":"6.2.4-ga5"},{"introduced":"0"},{"last_affected":"6.2.5-ga6"},{"introduced":"0"},{"last_affected":"7.0.0-a1"},{"introduced":"0"},{"last_affected":"7.0.0-a2"},{"introduced":"0"},{"last_affected":"7.0.0-a3"},{"introduced":"0"},{"last_affected":"7.0.0-a4"},{"introduced":"0"},{"last_affected":"7.0.0-a5"},{"introduced":"0"},{"last_affected":"7.0.0-b1"},{"introduced":"0"},{"last_affected":"7.0.0-b2"},{"introduced":"0"},{"last_affected":"7.0.0-b3"},{"introduced":"0"},{"last_affected":"7.0.0-b4"},{"introduced":"0"},{"last_affected":"7.0.0-b5"},{"introduced":"0"},{"last_affected":"7.0.0-b6"},{"introduced":"0"},{"last_affected":"7.0.0-b7"},{"introduced":"0"},{"last_affected":"7.0.0-ga1"},{"introduced":"0"},{"last_affected":"7.0.0-m1"},{"introduced":"0"},{"last_affected":"7.0.0-m2"},{"introduced":"0"},{"last_affected":"7.0.0-m3"},{"introduced":"0"},{"last_affected":"7.0.0-m4"},{"introduced":"0"},{"last_affected":"7.0.0-m5"},{"introduced":"0"},{"last_affected":"7.0.0-m6"},{"introduced":"0"},{"last_affected":"7.0.0-m7"},{"introduced":"0"},{"last_affected":"7.0.1-ga2"},{"introduced":"0"},{"last_affected":"7.0.2-ga3"},{"introduced":"0"},{"last_affected":"7.0.3-ga4"},{"introduced":"0"},{"last_affected":"7.0.4-ga5"},{"introduced":"0"},{"last_affected":"7.0.5-ga6"},{"introduced":"0"},{"last_affected":"7.0.6-ga7"},{"introduced":"0"},{"last_affected":"7.1.0-a1"},{"introduced":"0"},{"last_affected":"7.1.0-a2"},{"introduced":"0"},{"last_affected":"7.1.0-b1"},{"introduced":"0"},{"last_affected":"7.1.0-b2"},{"introduced":"0"},{"last_affected":"7.1.0-b3"},{"introduced":"0"},{"last_affected":"7.1.0-ga1"},{"introduced":"0"},{"last_affected":"7.1.0-m1"},{"introduced":"0"},{"last_affected":"7.1.0-m2"},{"introduced":"0"},{"last_affected":"7.1.0-rc1"}]}}],"versions":["6.1.0-b1","6.1.0-b2","6.1.0-b3","6.1.0-b4","6.1.0-ga1","6.1.0-rc1","6.1.1-ga2","6.1.2-ga3","6.2.0-b1","6.2.0-b2","6.2.0-ga1","6.2.0-m1","6.2.0-m2","6.2.0-m3","6.2.0-m4","6.2.0-m5","6.2.0-m6","6.2.0-rc1","6.2.0-rc2","6.2.0-rc3","6.2.0-rc4","6.2.0-rc5","6.2.0-rc6","6.2.1-ga2","6.2.2-ga3","6.2.3-ga4","6.2.4-ga5","6.2.5-ga6","7.0.0-a1","7.0.0-a2","7.0.0-a3","7.0.0-a4","7.0.0-a5","7.0.0-b1","7.0.0-b2","7.0.0-b3","7.0.0-b4","7.0.0-b5","7.0.0-b6","7.0.0-b7","7.0.0-ga1","7.0.0-m1","7.0.0-m2","7.0.0-m3","7.0.0-m4","7.0.0-m5","7.0.0-m6","7.0.0-m7","7.0.1-ga2","7.0.2-ga3","7.0.3-ga4","7.0.4-ga5","7.0.5-ga6","7.0.6-ga7","7.1.0-a1","7.1.0-a2","7.1.0-b1","7.1.0-b2","7.1.0-b3","7.1.0-m1","7.1.0-m2","7.1.0-rc1","sync-3.0.0-b1","sync-3.0.1-b2","sync-3.0.10-ga2","sync-3.0.2-b3","sync-3.0.3-b4","sync-3.0.4-b5","sync-3.0.5-b6","sync-3.0.6-b7","sync-3.0.7-b8","sync-3.0.8-b9","sync-3.0.9-ga1","sync-3.1.0-ga1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-6588.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"6.0.6"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}