XSS vulnerability in Hippo CMS Repository Servlet 

Issue date: 03-11-2016
Affects versions: 11.0, 10.2, 10.1, 10.0, 7.9

Issue id: SECURITY-22

 

Affected Product Version(s)
This vulnerability applies to CMS 11.0.1, CMS 10.2.1, CMS 7.9.12 and earlier versions

 

Severity

Medium


Description

An external security report revealed an XSS (Cross-site-Scripting) security vulnerability within the Hippo CMS Repository Servlet.

Important to mention is that this vulnerability does not concern the delivery tier, e.g. websites managed and rendered through Hippo.
This only applies to the CMS authoring web application, and requires a user logged in separately to the CMS Repository Servlet, not the CMS authoring application itself, to exploit. Access to the CMS Repository Servlet typically is restricted and limited to (if at all) developers and administrators only.

The CMS Repository Servlet provides read-only query access to the Hippo Repository which furthermore is restricted to the security access level of the logged in user. The XSS vulnerability potentially can be used to trick a user already logged into the Repository Servlet to query and expose data within the Hippo Repository, as accessible by the user, to an external host.

Hippo has implemented a fix for this vulnerability across all supported versions and has provided new releases of the Hippo Repository module to be able to upgrade and close this vulnerability in your implementation of Hippo.

These fixes themselves do not require specific configuration changes or upgrade steps other than upgrading to Hippo CMS 11.0.2, CMS 10.2.2, CMS 7.9.13 or newer releases.

Hippo strongly advises all customers to apply this fix by upgrading as soon as possible.

For further background information concerning XSS vulnerabilities in general, see:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Credits
This vulnerability was discovered and reported by Jan Kopec, security researcher (https://twitter.com/blogresponder)