XSS vulnerability in Dashboard via user IDs

Issue date: 26-04-2018
Affects versions: 12.2, 11.2, 10.2

Issue ID: SECURITY-60

Affected Product Version(s)
This vulnerability applies to CMS 12.2.0, 11.2.6, and 10.2.10 and earlier versions.

Severity
low

Description

The Dashboard does not properly escape user IDs in the activity stream. As a result, a malicious admin can create a new user with an XSS payload in the user ID, and make the user ID appear in the activity stream. That payload will then be executed by anyone logging in to Hippo CMS.

Instructions

For all current supported CMS versions this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS 10.2.11, CMS 11.2.7, CMS 12.2.1 or CMS 12.3.0.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

XSS vulnerability in Dashboard via user IDs