CVE-2019-6588

Name of the Vulnerable Software and Affected Versions Liferay Portal versions prior to 7.1 CE GA4

Description A security issue exists in the SimpleCaptcha API when custom code passes unsanitized input into the url parameter of the JSP taglib call, such as <liferay-ui:captcha url="<%= url %>" /> or <liferay-captcha:captcha url="<%= url %>" />. This issue does not affect Liferay Portal's out-of-the-box behavior without customizations.

Recommendations For versions prior to 7.1 CE GA4, ensure that any custom code using the SimpleCaptcha API sanitizes input passed to the url parameter to prevent exploitation. As a temporary workaround, consider validating and sanitizing all user-input data used in the url parameter of the affected JSP taglib calls until a patch is available.