Stored XSS in Alloy components rendering JavaScript arrays of strings: alloy:autoComplete and alloy:inputFile

Description

A stored cross-site scripting (XSS) vulnerability exists in alloy:autoComplete and alloy:inputFile due to improper rendering of JavaScript strings in arrays for the following versions of Liferay Faces Alloy:

  • com.liferay.faces.alloy-2.0.0 (supports Liferay Portal 6.2)
  • com.liferay.faces.alloy-2.0.1 (supports Liferay Portal 6.2)
  • com.liferay.faces.alloy-3.0.0 (supports Liferay Portal 7.0+)
  • com.liferay.faces.alloy-3.0.1 (supports Liferay Portal 7.0+)
  • liferay-faces-alloy-3.2.5-ga6 (supports Liferay Portal 6.2)
  • liferay-faces-alloy-4.2.5-ga6 (supports Liferay Portal 6.2)

Severity

Severity 2

Fixed Version(s)

Notes

To install, remove any old versions of Liferay Faces Alloy from your WAR and place the new version of Liferay Faces Alloy in each of your Liferay Faces WARs in the WEB-INF/lib directory.

Make sure you install the correct version of Liferay Faces Alloy. Liferay Faces Alloy 3.0.2 supports Liferay Portal 7.0+. Liferay Faces Alloy 2.0.2 supports Liferay Portal 6.2. See Understanding the Liferay Faces Version Scheme for more details.

The dependency can be included via Maven, Gradle, or Ivy.

In a Maven project pom.xml <dependencies> section, add the following <dependency>:

<dependency>
    <groupId>com.liferay.faces</groupId>
    <artifactId>com.liferay.faces.alloy</artifactId>
    <version>3.0.2</version>
</dependency>

In a Gradle project build.gradle dependencies section, add the following dependency:

compile group: 'com.liferay.faces', name: 'com.liferay.faces.alloy', version: '3.0.2'

In an Ant-Ivy project ivy.xml section, add the following :

<dependency org="com.liferay.faces" name="com.liferay.faces.alloy" rev="3.0.2" />

Publication date: Tue, 27 Aug 2019 21:52:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.