CVE-2019-16147

Published: Sep 9, 2019Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Liferay Portal through 7.2.0 GA1 allows XSS via a journal article title to journal_article/page.jsp in journal/journal-taglib.

Affected (9)

Products: Liferay: Liferay Portal

1 product

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Liferay Liferay Portal	Before 7.2.0
Liferay Liferay Portal	Version 7.2.0 alpha1
Liferay Liferay Portal	Version 7.2.0 beta1
Liferay Liferay Portal	Version 7.2.0 beta2
Liferay Liferay Portal	Version 7.2.0 beta3
Liferay Liferay Portal	Version 7.2.0 ga1
Liferay Liferay Portal	Version 7.2.0 milestone2
Liferay Liferay Portal	Version 7.2.0 rc2
Liferay Liferay Portal	Version 7.2.0 rc3

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/liferay/liferay-portal/commit/7e063aed70f947a92bb43a4471e0c4e650fe8f7f

Source: cve@mitre.org

Patch

https://github.com/liferay/liferay-portal/commit/7e063aed70f947a92bb43a4471e0c4e650fe8f7f

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.