PT-2014-72: Two Cross-Site Scripting vulnerabilities in Jahia CMS Vulnerable softwareJahia CMS Version: 6.6.2.4 and earlierLink: http://www.jahia.com/Severity levelSeverity level: Medium Impact: Cross-Site Scripting Access Vector: Remote CVSS v2: Base Score: 4.3 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)CVE: not assignedSoftware descriptionJahia CMS is a web content management system.Vulnerability descriptionThe specialists of the Positive Research center have detected two Cross-Site Scripting vulnerabilities in Jahia CMS.Two reflected cross-site scripting vulnerabilities in the group_copy.jsp page allows remote attackers to inject arbitrary HTML tags (including JavaScript scripts, etc.) to a page processed by user's browser.How to fix Update your software up to the latest version.Advisory status 19.12.2013 - Vendor gets vulnerability details 30.04.2014 - Vendor releases fixed version and details 26.12.2014 - Public disclosureCreditsThe vulnerabilities were detected by using Positive Technologies Application Inspector, the application security testing systemReferenceshttp://en.securitylab.ru/lab/PT-2014-72 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/