TWSL2016-004: Multiple Cross-Site Scripting (XSS) Vulnerabilities in Magnolia CMS

Trustwave SpiderLabs published an advisory today in conjunction with Magnolia International Ltd. for multiple cross-site scripting vulnerabilities in the Magnolia CMS product. Magnolia CMS is an open source, java based, web content management system. The vulnerabilities, discovered by Michel Chamberland, are primarily due to several pages of the web application reflecting back user supplied data without sanitizing it. In one instance, this input is also stored and leads to stored cross-site scripting in addition to reflecting the malicious payload. These cross-site scripting vulnerabilities allow an attacker to inject malicious scripts via a URL or otherwise that will ultimately be executed in the victim's web browser.

Affected users can patch these vulnerabilities by upgrading to the latest versions of Magnolia CMS which can be found here:

5.4.5 - See https://documentation.magnolia-cms.com/display/DOCS/Release+notes+for+Magnolia+5.4.5
5.3.14 - See https://documentation.magnolia-cms.com/display/DOCS53/Release+notes+for+Magnolia+5.3.14
5.2.12 - See https://documentation.magnolia-cms.com/display/DOCS53/Release+notes+for+Magnolia+5.2.12
4.5.28 - See https://documentation.magnolia-cms.com/display/DOCS45/Release+notes+for+Magnolia+4.5.28

For more details regarding this advisory please visit:

Trustwave's SpiderLabs Advisory (TWSL2016-004): https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-004/?fid=7651

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.