About XML External Entity vulnerability in EPiServer CMS 5, 6 and 7

The vulnerability was found in the external blog interface of EPiServer CMS versions 5, 6, and 7. The issue was handled for versions 5, 6, and 7, and patches were created for it. The functionality exposing the vulnerability was discontinued after version 7.0.

If you are running EPiServer CMS version 5, 6, or 7, and cannot upgrade to a version higher than 7, you have the following options depending on the scenario:

1. If you do not use the external blog interface functionality, you can simply remove the endpoint (/util/xmlrpc/Handler.ashx).
2. If you use the functionality and are on v7.0.x, there is an upgrade (Episerver 7 Patch 5) that contains a fix for this (as well as other bug fixes).
3. If you use the functionality and are on v7.0.x  but cannot to upgrade, there is a patch of Episerver.XmlRpc.dll that can be applied to the application.
4. If you use the functionality, and are on older versions (5, 6), you apply a patch of handler.ashx.

Please contact Episerver Developer Support, to request the patches referred to above.

Comments