Reflected Cross-Site Scripting found in the “loginmessage” parameter. 

Issue date: 27-10-2020
Affects versions: 14.2, 13.4, 12.6

Security Issue ID



Affected Product Version(s)

14.2.2, 13.4.3, 12.6.10 (and previous patch releases)




Bloomreach Experience Manager contained multiple Cross-Site Request Forgery (CSRF) vulnerabilities as the CSRF protection could have been bypassed by changing the HTTP method. HTTP can handle multiple request methods. In the web application it was assumed that forms would be submitted by the POST method and there the origin header would be checked to protect against CSRF. However, forms requests were also accepted using the GET method with query string parameters in the URL. In this case, the origin header was not checked. This allowed a malicious user to create a page with, for example, images with a source set to the form URL with predefined parameters. A logged in user could be tricked to visit this malicious page, leading to unintended actions in the web application, such as creating a new user.


Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.

Credit for discovering this issue

Thomas van Ruitenbeek