Description

The version of Ektron CMS is vulnerable to multiple security vulnerabilities, such as Unauthenticated code execution and Local File Read.

1. CVE-5357 - Unauthenticated code execution in the context of web server
The root cause of this is that Ektron processed user-controlled XSL from a page that required no auth. They used the XslCompiledTransform class with enablescript set to true. This scripting allows the user to execute code.

2. CVE-5358 Local File Read
Ektron had configured the xsl with enableDocumentFunction set to true. This vulnerability allows an unauthenticated attacker to read arbitrary files, such as web.config and machine.config. This would allow an attacker to perform several attacks, like bypassing authentication, modifying viewstate, bringing down the server, etc.

Remediation

Upgrade to latest version of Ektron CMS.

References

CVE-2012-5357,CVE-1012-5358 Cool Ektron XSLT RCE Bugs

Related Vulnerabilities

Jboss EAP Uncontrolled Resource Consumption Vulnerability (CVE-2019-19343)

WebLogic CVE-2020-14820 Vulnerability (CVE-2020-14820)

IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-1524)

WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-2203)

jQuery UI Autocomplete Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-41183)

Severity

High

Classification

CVE-2012-5357 CVE-2012-5358 CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities Information Disclosure