Ektron Content Management System (CMS) contains multiple vulnerabilities

Overview

Ektron Content Management System (CMS) versions 8.5, 8.7, and 9.0 contain a XXE and a resource injection vulnerability.

Description

**Note:**A prior version of this report indicated incorrectly that Ektron CMS version 9.1 was vulnerable. The vendor indicated that the last version to ship with this vulnerability was version 9.0.

CWE-611**: Improper Restriction of XML External Entity Reference (‘XXE’) -**CVE-2015-0923
Ektron Content Management System version 8.5, 8.7, and 9.0 contain a XXE vulnerability in /Workarea/ServerControlWS.asmx. The parameter xslt of the method ContentBlockEx allows a remote unauthenticated user to read arbitrary files.

CWE-99**: Improper Control of Resource Identifiers (‘Resource Injection’)**** -**CVE-2015-0931
Ektron Content Management System version 8.5, 8.7, and 9.0 contain a resource injection vulnerability by using an improperly configured XML parser. By default, Ektron utilizes the Microsoft XML parser to parse XSLT documents, which is not vulnerable. If an attacker specifies use of the Saxon XSLT parser instead, and sends it a specially crafted XSLT document, the attacker may be able to run arbitrary code at the privilege level of the application.

The CVSS score reflects CVE-2015-0923.

---

Impact

A remote, unauthenticated user may be able to read arbitrary files on the server. In the case of the resource injection vulnerability, a remote, unauthenticated attacker may be able to run arbitrary code on the server at the privilege level of the application.

---

Solution

Apply an Update

The vendor Ektron reported that both of these issues were fixed in the October 2013 update. In particular, Ektron states:

_"__This was patched via a cumulative security patcher that was made available Oct 9, 2013 that would apply the updates to versions 8.0.2 to 9.0. The current version of the patcher is available at: __<https://portal.ektron.com/News/Security/Security_Notice_-_11-25-14/&gt;__ _
8.7sp2 (released 8/16/2013), 9.0sp1 (released 8/19/2013), and 9.1 (released 8/28/2014) were all released with the fix in place. Subsequent service packs also contain the fixes for those versions."

The vendor recommends users go to their support site to obtain the latest update.

---

Vendor Information

377644

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Ektron Affected

Notified: November 05, 2014 Updated: January 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	5	AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal	4.3	E:POC/RL:U/RC:UR
Environmental	3.2	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <http://cwe.mitre.org/data/definitions/611.html&gt;
• <http://cwe.mitre.org/data/definitions/99.html&gt;
• <http://www.ektron.com/Products/Ektron-CMS/&gt;
• <https://portal.ektron.com/Downloads/&gt;

Acknowledgements

Thanks to Matthias Kaiser for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs:	CVE-2015-0923, CVE-2015-0931
Date Public:	2014-02-05 Date First Published: