Liferay Portlet Cross-Site Scripting vulnerability

Last update: 6 November 2020


A security vulnerability was found in the Fabasoft Portlet for Liferay that can allow Cross Site Scripting, if an attacker modifies the URL in a special way.


An attacker can exploit this vulnerability to run JavaScript code on the client machine .

An article about the risks of cross-site scripting (XSS) can be found at Wikipedia .

Webservers and services in the backend are not affected by this vulnerability. No code execution can be done on these machines. Only client machines are at risk.


A hotfix for the portlet is available for the Fabasoft software versions listed below.

If you use a Liferay production environment in an insecure network (Internet), please open a ticket at Fabasoft Service Desk including your current Fabasoft Folio/eGov-Suite version.

Applies to

  • Fabasoft Folio (up to and including 2012 Fall Release)
  • Fabasoft eGov-Suite (up to and including 2012)
  • Hotfix-Builds with build number and above already include the hotfix