Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability
Title: Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2016-5300
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 30.01.2016
Java/1.8.0_66
Apache-Coyote/1.1
[05.12.2015] Contact with the vendor.
[07.12.2015] Vendor responds asking more details.
[07.12.2015] Sent details to the vendor.
[07.12.2015] Vendor acknowledges the vulnerabilities scheduling patch release timeframe.
[18.12.2015] Vendor fixed the vulnerabilities instructing customers to update.
[29.01.2016] Vendor released security notice and version 10.1.2, 7.9.11 and 7.8.12 to address these issues.
[30.01.2016] Coordinated public security advisory released.
[2] http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
[3] http://www.onehippo.org/about/release-notes/7_9/7.9.11-release-notes.html
[4] http://www.onehippo.org/about/release-notes/7_8/7.8.12-release-notes.html
[5] https://cxsecurity.com/issue/WLB-2016010226
[6] https://packetstormsecurity.com/files/135518
[7] https://www.exploit-db.com/exploits/39391/
[31.01.2016] - Added reference [5] and [6]
[01.02.2016] - Added reference [7]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5300
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 30.01.2016
Summary
Hippo CMS is an open source Java CMS. We built it so you can easily integrate it into your existing architecture.Description
Hippo CMS suffers from a stored XSS vulnerability. Input passed thru the POST parameters 'groupname' and 'description' is not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site.Vendor
Hippo B.V. - http://www.onehippo.orgAffected Version
10.1, 7.9 and 7.8 (Enterprise Edition)Tested On
Linux 2.6.32-5-xen-amd64Java/1.8.0_66
Apache-Coyote/1.1
Vendor Status
[04.12.2015] Vulnerability discovered.[05.12.2015] Contact with the vendor.
[07.12.2015] Vendor responds asking more details.
[07.12.2015] Sent details to the vendor.
[07.12.2015] Vendor acknowledges the vulnerabilities scheduling patch release timeframe.
[18.12.2015] Vendor fixed the vulnerabilities instructing customers to update.
[29.01.2016] Vendor released security notice and version 10.1.2, 7.9.11 and 7.8.12 to address these issues.
[30.01.2016] Coordinated public security advisory released.
PoC
hippocms_xss.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.onehippo.org/security-issues-list/security-12.html[2] http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
[3] http://www.onehippo.org/about/release-notes/7_9/7.9.11-release-notes.html
[4] http://www.onehippo.org/about/release-notes/7_8/7.8.12-release-notes.html
[5] https://cxsecurity.com/issue/WLB-2016010226
[6] https://packetstormsecurity.com/files/135518
[7] https://www.exploit-db.com/exploits/39391/
Changelog
[30.01.2016] - Initial release[31.01.2016] - Added reference [5] and [6]
[01.02.2016] - Added reference [7]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk