LivingLogic XIST4C (CMS) before 0.107.8. allows XSS
XIST4C is a content management system developed and distributed by LivingLogic. The software is also known by the name living apps.
Cross Site Scripting (Reflected)
The security flaw exists because the software does not neutralize user input before it is placed in output that is used as a web page. This enables the creation and sending of compromised links to victims.
Affected versions:
>=0.89.0 and <0.107.8
Affected Components:
/feedback.htm
/feedback.prhtm
/feedback.wihtm
/login-form.htm
/login.htm
/login.prhtm
/login.wihtm
The following CVEs are assigned for this security flaw:
CVE-2021-26122
CVE-2021-26123
Demo
Sending manipulated request:
Receiving manipulated response:
Fix
Variables which can be changed by users must not be trusted in general. Therefore, a validation of the transmitted inputs must always take place. It is recommended to check which escaping methods are used and to extend them if necessary.
The vendor assured that the main product is fixed for all customers after being informed about the vulnerability.
Responsible Disclosure
| Date | Description |
| 2020-09-13 | Vulnerability found and verified |
| 2020-09-17 | Vendor contacted and informed about the vulnerability |
| 2020-09-17 | Vendor acknowledged vulnerability and cofirms that a fix for newer versions already exists |
| 2020-09-23 | Further information is requested from the vendor to register the CVE |
| 2020-10-05 | Vendor provided further information and assured that the main product is fixed for all clients |
| 2021-01-25 | CVE number requested |
| 2021-02-03 | Created Demo / Documentation |
| 2021-04-28 | Publication of the vulnerability |
