← Advisories

Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability

Medium

Advisory ID

ZSL-2016-5300

Release Date

30 January 2016

Vendor

Hippo B.V. - http://www.onehippo.org

Affected Version

10.1, 7.9 and 7.8 (Enterprise Edition)

CVE

N/A

Tested On

Linux 2.6.32-5-xen-amd64, Java/1.8.0_66, Apache-Coyote/1.1

Summary

Hippo CMS is an open source Java CMS. We built it so you can easily integrate it into your existing architecture.

Description

Hippo CMS suffers from a stored XSS vulnerability. Input passed thru the POST parameters 'groupname' and 'description' is not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site.

Proof of Concept

hippocms_xss.htmlTXT

Disclosure Timeline

04.12.2015Vulnerability discovered.

05.12.2015Contact with the vendor.

07.12.2015Vendor responds asking more details.

07.12.2015Sent details to the vendor.

07.12.2015Vendor acknowledges the vulnerabilities scheduling patch release timeframe.

18.12.2015Vendor fixed the vulnerabilities instructing customers to update.

29.01.2016Vendor released security notice and version 10.1.2, 7.9.11 and 7.8.12 to address these issues.

30.01.2016Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.onehippo.org/security-issues-list/security-12.html

[2]http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html

[3]http://www.onehippo.org/about/release-notes/7_9/7.9.11-release-notes.html

[4]http://www.onehippo.org/about/release-notes/7_8/7.8.12-release-notes.html

[5]https://cxsecurity.com/issue/WLB-2016010226

[6]https://packetstormsecurity.com/files/135518

[7]https://www.exploit-db.com/exploits/39391/

Changelog

30.01.2016Initial release

31.01.2016Added reference [5] and [6]

01.02.2016Added reference [7]