XSS vulnerability in Channels list view via custom channel properties

Issue date: 26-04-2018
Affects versions: 12.2, 11.2, 10.2

Issue ID: SECURITY-59

Affected Product Version(s)
This vulnerability applies to CMS 12.2.0, 11.2.6, and 10.2.10 and earlier versions.

Severity
normal

Description

The Channels list view can render any channel property in additional columns. These additional columns can be configured at

/hippo:configuration/hippo:frontend/cms/hippo-channel-manager/channel-manager-perspective/channel-list

These channel properties can be used for XSS.

Instructions

For all current supported CMS versions, this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS 10.2.11, CMS 11.2.7, CMS 12.2.1 or CMS 12.3.0.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

XSS vulnerability in Channels list view via custom channel properties