XSS Vulnerability in HST MessagesReplace Tag
Issue date: 26-04-2018Affects versions: 12.2, 11.2, 10.2
Issue ID: SECURITY-66
Affected Product Version(s)
This vulnerability affects all versions of delivery applications based on Hippo CMS prior to 12.3.0, 12.2.1, 11.2.7, and 10.2.11.
Severity
low
Description
The @hst.messagesReplace tag (used in Freemarker templates) did not escape the message replacement text in the final output, thereby allowing XSS exploits. The implementation of this tag now ensures the replacement text is escaped before it is added to the output.
This vulnerability is classified with severity low, as it can only be exploited by an authenticated CMS author.
Instructions
Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher.
Because the upgrade for these CMS maintenance versions may require some additonal steps and verification, specific upgrade documentation is available to our customers for upgrading to version 10.2.11, 11.2.7, or to 12.2.1 and 12.3.0 (login required).