Liferay Portlet Cross-Site Scripting vulnerability

Summary

A security vulnerability was found in the Fabasoft Portlet for Liferay that can allow Cross Site Scripting, if an attacker modifies the URL in a special way.

Information

An attacker can exploit this vulnerability to run JavaScript code on the client machine .

An article about the risks of cross-site scripting (XSS) can be found at Wikipedia .

Webservers and services in the backend are not affected by this vulnerability. No code execution can be done on these machines. Only client machines are at risk.

Solution

A hotfix for the portlet is available for the Fabasoft software versions listed below.

If you use a Liferay production environment in an insecure network (Internet), please open a ticket at Fabasoft Service Desk including your current Fabasoft Folio/eGov-Suite version.

Applies to

• Fabasoft Folio (up to and including 2012 Fall Release)
• Fabasoft eGov-Suite (up to and including 2012)
• Hotfix-Builds with build number 12.0.7.116 and above already include the hotfix