Liferay Portlet Cross-Site Scripting vulnerability
Summary
A security vulnerability was found in the Fabasoft Portlet for Liferay that can allow Cross Site Scripting, if an attacker modifies the URL in a special way.
Information
An attacker can exploit this vulnerability to run JavaScript code on the client machine .
An article about the risks of cross-site scripting (XSS) can be found at Wikipedia .
Webservers and services in the backend are not affected by this vulnerability. No code execution can be done on these machines. Only client machines are at risk.
Solution
A hotfix for the portlet is available for the Fabasoft software versions listed below.
If you use a Liferay production environment in an insecure network (Internet), please open a ticket at Fabasoft Service Desk including your current Fabasoft Folio/eGov-Suite version.
Applies to
- Fabasoft Folio (up to and including 2012 Fall Release)
- Fabasoft eGov-Suite (up to and including 2012)
- Hotfix-Builds with build number 12.0.7.116 and above already include the hotfix