XXE and XSS vulnerabilities in Hippo CMS applicationIssue date: 29-01-2016
Affects versions: 10.1, 10.0, 7.9, 7.8
Issue id: SECURITY-12
Through an external security report and subsequent further investigation by Hippo we discovered a few important security vulnerabilities within our Hippo CMS application.
Important to mention is that these vulnerabilities do not concern the delivery tier, e.g. websites managed and rendered through Hippo, these only apply to the CMS authoring web application, and require an logged in CMS user to exploit.
Hippo has implemented fixes for all these vulnerabilities across all supported versions and provides new releases of all concerned modules to be able to upgrade and close these vulnerabilities in your implementation of Hippo.
Hippo strongly advises all customers to apply these fixes by upgrading as soon as possible, detailed instructions are described further below.
There are two type of security vulnerabilities fixed:
XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application.
For further background information concerning XXE vulnerabilities in general, see:
Fixes for these have been implemented in the Hippo cms and repository modules.
XSS (Cross-site-Scripting) vulnerabilities in several modules within the CMS application.
For further background information concerning XSS vulnerabilities in general, see:
Fixes have been implemented in the Hippo cms, channelmanager, targeting and eforms modules through internal code changes only.
These vulnerabilities were discovered and reported by Gjoko Krstic from Zero Science Lab (http://www.zeroscience.mk)