Responsible Disclosure
Verantwortungsvoll mit
Sicherheitslücken umgehen

LivingLogic XIST4C (CMS) – XSS Vulnerability

dgc-responsible-disclosure-cve-2021-26122

LivingLogic XIST4C (CMS) before 0.107.8. allows XSS

XIST4C is a content management system developed and distributed by LivingLogic. The software is also known by the name living apps. 

Cross Site Scripting (Reflected)

The security flaw exists because the software does not neutralize user input before it is placed in output that is used as a web page. This enables the creation and sending of compromised links to victims.

Affected versions:

>=0.89.0 and <0.107.8

Affected Components:

/feedback.htm
/feedback.prhtm
/feedback.wihtm
/login-form.htm
/login.htm
/login.prhtm
/login.wihtm

The following CVEs are assigned for this security flaw:

CVE-2021-26122
CVE-2021-26123

Demo

Sending manipulated request:

Receiving manipulated response:

Fix

Variables which can be changed by users must not be trusted in general. Therefore, a validation of the transmitted inputs must always take place. It is recommended to check which escaping methods are used and to extend them if necessary.

The vendor assured that the main product is fixed for all customers after being informed about the vulnerability.

Responsible Disclosure

DateDescription
2020-09-13Vulnerability found and verified
2020-09-17Vendor contacted and informed about the vulnerability
2020-09-17Vendor acknowledged vulnerability and cofirms that a fix for newer versions already exists
2020-09-23Further information is requested from the vendor to register the CVE
2020-10-05Vendor provided further information and assured that the main product is fixed for all clients
2021-01-25CVE number requested
2021-02-03Created Demo / Documentation
2021-04-28Publication of the vulnerability

Aktuelle Beiträge

Pressekontakt

Uwe Budowsky
CMO
Telefon: +49 461 995838-21
E-Mail: presse@dgc.org

Folgen Sie uns auf

Abonnieren Sie unseren Newsletter rund um das Thema Cybersicherheit

Mit unserem Cyberletter sind Sie stets topaktuell informiert - über Schwachstellenmeldungen, aktuelle IT-Bedrohungsszenarien sowie andere relevante Nachrichten aus dem Bereich Cyber Security und Datensicherheit

Mit der Anmeldung akzeptiere ich den Umgang mit meinen personenbezogenen Daten (§13 DSGVO) und stimme der Datenschutzerklärung zu.

Soforthilfe im IT-Notfall
24h Hotline
Wenn Sie einen IT-Sicherheitsvorfall bemerken, zögern Sie nicht.
Kontaktieren Sie unsere Spezialisten, um umgehend Hilfe zu erhalten.
Notfallnummer