XXE and XSS vulnerabilities in Hippo CMS application
Issue date: 29-01-2016Affects versions: 10.1, 10.0, 7.9, 7.8
Issue id: SECURITY-12
Severity
High
Description
Through an external security report and subsequent further investigation by Hippo we discovered a few important security vulnerabilities within our Hippo CMS application.
Important to mention is that these vulnerabilities do not concern the delivery tier, e.g. websites managed and rendered through Hippo, these only apply to the CMS authoring web application, and require an logged in CMS user to exploit.
Hippo has implemented fixes for all these vulnerabilities across all supported versions and provides new releases of all concerned modules to be able to upgrade and close these vulnerabilities in your implementation of Hippo.
Hippo strongly advises all customers to apply these fixes by upgrading as soon as possible, detailed instructions are described further below.
There are two type of security vulnerabilities fixed:
-
XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application.
For further background information concerning XXE vulnerabilities in general, see:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Fixes for these have been implemented in the Hippo cms and repository modules. -
XSS (Cross-site-Scripting) vulnerabilities in several modules within the CMS application.
For further background information concerning XSS vulnerabilities in general, see:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Fixes have been implemented in the Hippo cms, channelmanager, targeting and eforms modules through internal code changes only.
These fixes themselves do not require specific configuration changes or upgrade steps other than upgrading to the latest minor Hippo CMS 10.1.2, 7.9.11, or 7.8.12.
Credits
These vulnerabilities were discovered and reported by Gjoko Krstic from Zero Science Lab (http://www.zeroscience.mk)