Responsible Disclosure
Dealing responsibly
with Security Vulnerabilities

LivingLogic XIST4C (CMS) – XSS Vulnerability

dgc-responsible-disclosure-cve-2021-26122

LivingLogic XIST4C (CMS) before 0.107.8. allows XSS

XIST4C is a content management system developed and distributed by LivingLogic. The software is also known by the name living apps. 

Cross Site Scripting (Reflected)

The security flaw exists because the software does not neutralize user input before it is placed in output that is used as a web page. This enables the creation and sending of compromised links to victims.

Affected versions:

>=0.89.0 and <0.107.8

Affected Components:

/feedback.htm
/feedback.prhtm
/feedback.wihtm
/login-form.htm
/login.htm
/login.prhtm
/login.wihtm

The following CVEs are assigned for this security flaw:

CVE-2021-26122
CVE-2021-26123

Demo

Sending manipulated request:

Receiving manipulated response:

Fix

Variables which can be changed by users must not be trusted in general. Therefore, a validation of the transmitted inputs must always take place. It is recommended to check which escaping methods are used and to extend them if necessary.

The vendor assured that the main product is fixed for all customers after being informed about the vulnerability.

Responsible Disclosure

DateDescription
2020-09-13Vulnerability found and verified
2020-09-17Vendor contacted and informed about the vulnerability
2020-09-17Vendor acknowledged vulnerability and cofirms that a fix for newer versions already exists
2020-09-23Further information is requested from the vendor to register the CVE
2020-10-05Vendor provided further information and assured that the main product is fixed for all clients
2021-01-25CVE number requested
2021-02-03Created Demo / Documentation
2021-04-28Publication of the vulnerability

Latests posts

Press contact

Uwe Budowsky
CMO
Phone: +49 461 995838-21
Email: presse@dgc.org

Follow us on

Subscribe to our newsletter on the topic of cyber security

With our Cyberletter you are always up to date - about vulnerability reports, current IT threat scenarios and other relevant news from the field of cyber security and data security.

With the registration I accept the handling of my personal data (§13 GDPR) and agree to the privacy policy.