-
-
Save basraznov/31ddfd27a5c4ff9ca75f8eb532a8153e to your computer and use it in GitHub Desktop.
Revisions
-
paatui revised this gist
Mar 2, 2022 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,6 +15,11 @@ Reflected Cross Site Scripting (XSS) vulnerability exists in Alfresco Community 2. Navigate to “Node Browser” function in “Support Tools” and querying the Node browser by pressing the “Execute” button. 3. Inject JavaScript into “action” parameter.    # Timeline **Discovery and report** : 24 June 2019 \ **CVE ID was assigned** : 11 Aug 2021 \ -
Mar 2, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,24 @@ # Alfresco Community Edition v5.2.0 – Reflected XSS vulnerability in Administration Console # Description Alfresco is a collection of information management software products for Microsoft Windows and Unix-like operating systems developed by Alfresco Software Inc. using Java technology. Reflected Cross Site Scripting (XSS) vulnerability exists in Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API, which allows a remote attacker to inject arbitrary JavaScript. **Date**: 03 March 2022 \ **Software Link:** https://www.alfresco.com \ **Exploit Author**: Chakrit Sangsakul, Pongpol Phaiaroonrut, Thanavit Chongsutakawewong \ **CVE**: CVE-2020-18327 \ **Category:** Web Application # Proof of Concept 1. Access to Alfresco Administration Console. 2. Navigate to “Node Browser” function in “Support Tools” and querying the Node browser by pressing the “Execute” button. 3. Inject JavaScript into “action” parameter. # Timeline **Discovery and report** : 24 June 2019 \ **CVE ID was assigned** : 11 Aug 2021 \ **Public** : 3 March 2022 # Solution - Update Alfresco Community Edition to version v6.2 or later - Consider complying to the OWASP's XSS prevention guidelines. (https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)