XXE and XSS vulnerabilities in Hippo CMS application 

Issue date: 29-01-2016
Affects versions: 10.1, 10.0, 7.9, 7.8

Issue id: SECURITY-12

 

Severity 

High


Description

Through an external security report and subsequent further investigation by Hippo we discovered a few important security vulnerabilities within our Hippo CMS application.

 

Important to mention is that these vulnerabilities do not concern the delivery tier, e.g. websites managed and rendered through Hippo, these only apply to the CMS authoring web application, and require an logged in CMS user to exploit.

Hippo has implemented fixes for all these vulnerabilities across all supported versions and provides new releases of all concerned modules to be able to upgrade and close these vulnerabilities in your implementation of Hippo.

Hippo strongly advises all customers to apply these fixes by upgrading as soon as possible, detailed instructions are described further below.

 

There are two type of security vulnerabilities fixed:

 

Fixes have been implemented in the Hippo cms, channelmanager, targeting and eforms modules through internal code changes only.

These fixes themselves do not require specific configuration changes or upgrade steps other than upgrading to the latest minor Hippo CMS 10.1.2, 7.9.11, or 7.8.12.

 

Credits
These vulnerabilities were discovered and reported by Gjoko Krstic from Zero Science Lab (http://www.zeroscience.mk)