XSS Vulnerability in HST MessagesReplace Tag 

Issue date: 26-04-2018
Affects versions: 12.2, 11.2, 10.2


Affected Product Version(s)
This vulnerability affects all versions of delivery applications based on Hippo CMS prior to 12.3.0, 12.2.1, 11.2.7, and 10.2.11.



The @hst.messagesReplace tag (used in Freemarker templates) did not escape the message replacement text in the final output, thereby allowing XSS exploits. The implementation of this tag now ensures the replacement text is escaped before it is added to the output.

This vulnerability is classified with severity low, as it can only be exploited by an authenticated CMS author.


Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher.

Because the upgrade for these CMS maintenance versions may require some additonal steps and verification, specific upgrade documentation is available to our customers for upgrading to version 10.2.11, 11.2.7, or to 12.2.1 and 12.3.0 (login required).