The following security advisory has been announced for Liferay Faces 3.x/4.x:

• CST-SA: FACES--1917 Security vulnerability with _jsfBridgeViewId, _facesViewIdRender, and _facesViewIdResource URL parameter values

Liferay Faces Bridge has a security vulnerability in which the _jsfBridgeViewId, _facesViewIdRender, and _facesViewIdResource request parameter values are not restricted to valid filename characters.

Liferay Faces users are strongly advised to keep abreast of all new security advisories and apply associated fixes or workarounds to your Liferay deployments.

To be notified of future releases, be sure to subscribe to the this forum and follow the known vulnerabilities list (e.g. via RSS).