PT-2014-69: Cross-Site Scripting in Jahia CMS
Vulnerable software
Jahia CMS
Version: 6.6.2.4 and earlier
Link:
http://www.jahia.com/
Severity level
Severity level: Medium
Impact: Cross-Site Scripting
Access Vector: Remote
CVSS v2:
Base Score: 4.3
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE: not assigned
Software description
Jahia CMS is a web content management system.
Vulnerability description
The specialists of the Positive Research center have detected a Cross-Site Scripting vulnerability in Jahia CMS.
Reflected cross-site scripting in the manager.jsp page allows remote attackers to inject arbitrary HTML tags (including JavaScript scripts, etc.) to a page processed by user's browser.
How to fix
Update your software up to the latest version.
Advisory status
19.12.2013 - Vendor gets vulnerability details
30.04.2014 - Vendor releases fixed version and details
26.12.2014 - Public disclosure
Credits
The vulnerability was detected by using Positive Technologies Application Inspector, the application security testing system
References
http://en.securitylab.ru/lab/PT-2014-69
Reports on the vulnerabilities previously discovered by Positive Research:
http://www.ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/