====================================================================== DEVWERKS SECURITY ADVISORY www.devwerks.net ====================================================================== devWerks Advisory ID: DW-2016-008 Application: CONTENIDO <= 4.9.11 Vendor: CONTENIDO Subject: Cross-site Scripting - XSS Author: Johannes Schroeter (j.schroeter@devwerks.net) Date: 2016-10-20 ====================================================================== Overview: CONTENIDO is a content management system (CMS). It features advanced user management, in-site editing, a WYSIWYG editor, and more. devWerks discovered several security flaws in the CONTENIDO web application, which allows execution of malicious code. ====================================================================== Details: The first vulnerability exists within the applications contact form function and is due to improper input sanitization. For example, javascript could be added and because of a lack of input sanitization/validation, the javascript would execute within the context of the CONTENIDO web application. The second vulnerability exists within the applications formular assistant function (backend) and is due to improper input sanitization. For example, javascript added with the vulnerability in frontend are saved and executed when a privileged user views the formular assistant. ====================================================================== Timeline: 2016-10-09: Vendor notified 2016-10-10: Vendor response 2016-10-11: Vulnerability details sent to vendor 2016-10-20: Vendor confirmed security issue 2016-10-20: Release of patched vendor software version 4.9.12 2017-01-30: Public release of this advisory ====================================================================== Recommendation: It is recommended to install the latest patch. Grab your copy at: http://www.contenido.org/ ====================================================================== References: http://www.contenido.org/ http://devwerks.net