Security Alert Liferay Portlet - Possibility for Cross-Site Scripting

Last update: 4 August 2017

Security Alert Liferay Portlet - Possibility for Cross-Site Scripting

Summary

A security vulnerability was found in the Fabasoft Portlet for Liferay that can allow Cross Site Scripting, if an attacker modifies the URL in a special way.

Information

An attacker can exploit this vulnerability to run JavaScript code on the client machine .

An article about the risks of cross-site scripting (XSS) can be found at Wikipedia .

Webservers and services in the backend are not affected by this vulnerability. No code execution can be done on these machines. Only client machines are at risk.

Solution

A hotfix for the portlet is available for the Fabasoft software versions listed below.

If you use a Liferay production environment in an insecure network (Internet), please open a ticket at Fabasoft Service Desk including your current Fabasoft Folio/eGov-Suite version.

Applies to

  • Fabasoft Folio (up to and including 2012 Fall Release)
  • Fabasoft eGov-Suite (up to and including 2012)
  • Hotfix-Builds with build number 12.0.7.116 and above already include the hotfix

Further questions?