Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities
• Software Link:
• Affected Versions:
Version 5.7.3.1 and probably other versions.
• Vulnerabilities Description:
1) The vulnerable code is located in /concrete/views/panels/details/page/versions.php:
<? foreach($_REQUEST['cvID'] as $cvID) { $tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked); $checked = false; } print $ih->tabs($tabs); foreach($_REQUEST['cvID'] as $cvID) { ?> <div id="ccm-tab-content-view-version-<?=$cvID?>" style="display: <?=$display?>; height: 100%"> <iframe border="0" id="v<?=time()?>" frameborder="0" height="100%" width="100%" src="<?=REL_DIR_FILES_TOOLS_REQUIRED?>/pages/preview_version?cvID=<?=$cvID?>&cID=<?=$_REQUEST['cID']?>" />
User input passed through the “cvID” and “cID” request parameters is not properly sanitized before being used to generate HTML output at lines 6 and 13. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
2) The vulnerable code is located in /concrete/src/Form/Service/Widget/UserSelector.php:
public function selectUser($fieldName, $uID = false, $javascriptFunc = 'ccm_triggerSelectUser') { $selectedUID = 0; if (isset($_REQUEST[$fieldName])) { $selectedUID = $_REQUEST[$fieldName]; } else if ($uID > 0) { $selectedUID = $uID; } $html = ''; $html .= '';'; if ($selectedUID > 0) { $ui = UserInfo::getByID($selectedUID); $html .= $ui->getUserName(); } $html .= ''; $identifier = new \Concrete\Core\Utility\Service\Identifier(); $selector = $identifier->getString(32); $html .= '' . t('Select User') . ''; $html .= ''; $html .= '
User input passed through the “uID” request parameter is not properly sanitized before being used to generate HTML output at line 35. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
3) The vulnerable code is located in /concrete/elements/group/search.php:
$searchRequest = $_REQUEST; $result = Loader::helper('json')->encode($controller->getSearchResultObject()->getJSONObject()); $tree = GroupTree::get(); $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID); $registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID); ?> <style type="text/css"> div[data-search=groups] form.ccm-search-fields { margin-left: 0px !important; } </style> <div data-search="groups"> <script type="text/template" data-template="search-form"> <form role="form" data-search-form="groups" action="<?=URL::to('/ccm/system/search/groups/submit')?>" class="form-inline ccm-search-fields ccm-search-fields-none"> <input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" />
User input passed through the “filter” request parameter is not properly sanitized before being used to generate HTML output at line 20. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
4) User input passed through the “msCountry” POST parameter to /index.php/dashboard/system/multilingual/setup/load_icon is not properly sanitized before being used to generate HTML output. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
5) User input passed through the “pageURL” POST parameter to /index.php/dashboard/pages/single is not properly sanitized before being used to generate HTML output. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
6) The vulnerable code is located in /concrete/attributes/select/form.php:
$vals = $this->post('atSelectNewOption'); if (is_array($vals)) { foreach($vals as $v) { ?> <div class="newAttrValue"> <?=$form->hidden($this->field('atSelectNewOption') . '[]', $v)?> <span class="badge"><?php echo $v?></span>
User input passed through the “atSelectNewOption” POST parameter is not properly sanitized before being used to generate HTML output at line 60. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
• Solution:
Update to version 5.7.4 or later.
• Disclosure Timeline:
[05/05/2015] – Vulnerabilities details sent through HackerOne
[05/05/2015] – Vendor said that two vulnerabilities were already fixed in development
[07/05/2015] – Version 5.7.4 released along with the patch for these vulnerabilities
[06/06/2015] – Vulnerabilities publicly disclosed on HackerOne
[11/06/2015] – CVE number requested
[11/06/2015] – Publication of this advisory
[23/06/2015] – CVE number assigned
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-4721 to these vulnerabilities.
• Credits:
Vulnerabilities discovered by Egidio Romano of Minded Security.
• Other References:
https://www.mindedsecurity.com/index.php/research/advisories/msa110615-2
https://hackerone.com/reports/59661