← Advisories

Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability

High
Advisory ID
ZSL-2016-5301
Release Date
30 January 2016
Vendor
Hippo B.V. - http://www.onehippo.org
Affected Version
10.1, 7.9 and 7.8 (Enterprise Edition)
CVE
N/A
Tested On
Linux 2.6.32-5-xen-amd64, Java/1.8.0_66, Apache-Coyote/1.1
Summary

Hippo CMS is an open source Java CMS. We built it so you can easily integrate it into your existing architecture.

Description

XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application.

Proof of Concept
hippocms_xxe.txtTXT
Disclosure Timeline
04.12.2015Vulnerability discovered.
05.12.2015Contact with the vendor.
07.12.2015Vendor responds asking more details.
07.12.2015Sent details to the vendor.
07.12.2015Vendor acknowledges the vulnerabilities scheduling patch release timeframe.
18.12.2015Vendor fixed the vulnerabilities instructing customers to update.
29.01.2016Vendor released security notice and version 10.1.2, 7.9.11 and 7.8.12 to address these issues.
30.01.2016Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.onehippo.org/security-issues-list/security-12.html
[2]http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
[3]http://www.onehippo.org/about/release-notes/7_9/7.9.11-release-notes.html
[4]http://www.onehippo.org/about/release-notes/7_8/7.8.12-release-notes.html
[5]https://cxsecurity.com/issue/WLB-2016010225
[6]https://packetstormsecurity.com/files/135519
[7]https://www.exploit-db.com/exploits/39391/
[8]https://exchange.xforce.ibmcloud.com/vulnerabilities/110381
Changelog
30.01.2016Initial release
31.01.2016Added reference [5] and [6]
01.02.2016Added reference [7]
05.02.2016Added reference [8]