In Liferay Portal prior to 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the "url" parameter of the JSP taglib call <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. Liferay Portal out-of-the-box behavior with no customizations is not vulnerable.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
liferay liferay portal 7.1.0 |
||
liferay liferay portal 7.0.4 |
||
liferay liferay portal 7.0.3 |
||
liferay liferay portal 7.0.0 |
||
liferay liferay portal 6.2.4 |
||
liferay liferay portal 6.2.3 |
||
liferay liferay portal 6.2.2 |
||
liferay liferay portal 6.2.0 |
||
liferay liferay portal 6.1.0 |
||
liferay liferay portal |
||
liferay liferay portal 7.0.6 |
||
liferay liferay portal 7.0.5 |
||
liferay liferay portal 6.2.5 |
||
liferay liferay portal 7.0.2 |
||
liferay liferay portal 7.0.1 |
||
liferay liferay portal 6.2.1 |
||
liferay liferay portal 6.1.2 |
||
liferay liferay portal 6.1.1 |
Vulmon