Direkt zum Inhalt
Plattform
Seitenabschnitte
LivingLogic XIST4C (CMS) before 0.107.8. allows XSS

XIST4C is a content management system developed and distributed by LivingLogic. The software is also known by the name living apps.

Cross Site Scripting (Reflected)

The security flaw exists because the software does not neutralize user input before it is placed in output that is used as a web page. This enables the creation and sending of compromised links to victims.

Affected versions:

>=0.89.0 and <0.107.8

 

Affected Components:

/feedback.htm 
/feedback.prhtm 
/feedback.wihtm
/login-form.htm 
/login.htm 
/login.prhtm 
/login.wihtm 

 

The following CVEs are assigned for this security flaw:

CVE-2021-26122
CVE-2021-26123
Demo

Sending manipulated request:

manipulated request

Receiving manipulated response:

manipulated response
Fix

Variables which can be changed by users must not be trusted in general. Therefore, a validation of the transmitted inputs must always take place. It is recommended to check which escaping methods are used and to extend them if necessary.

The vendor assured that the main product is fixed for all customers after being informed about the vulnerability.

Responsible Disclosure
Date Description
2020-09-13 Vulnerability found and verified
2020-09-17 Vendor contacted and informed about the vulnerability
2020-09-17 Vendor acknowledged vulnerability and cofirms that a fix for newer versions already exists
2020-09-23 Further information is requested from the vendor to register the CVE
2020-10-05 Vendor provided further information and assured that the main product is fixed for all clients
2021-01-25 CVE number requested
2021-02-03 Created Demo / Documentation
2021-04-28 Publication of the vulnerability