A security vulnerability was found in the Fabasoft Portlet for Liferay that can allow Cross Site Scripting, if an attacker modifies the URL in a special way.
An article about the risks of cross-site scripting (XSS) can be found at Wikipedia .
Webservers and services in the backend are not affected by this vulnerability. No code execution can be done on these machines. Only client machines are at risk.
A hotfix for the portlet is available for the Fabasoft software versions listed below.
If you use a Liferay production environment in an insecure network (Internet), please open a ticket at Fabasoft Service Desk including your current Fabasoft Folio/eGov-Suite version.
- Fabasoft Folio (up to and including 2012 Fall Release)
- Fabasoft eGov-Suite (up to and including 2012)
- Hotfix-Builds with build number 220.127.116.11 and above already include the hotfix