Try our conversational search powered by Generative AI!

Magnus Rahl
Aug 16, 2023
  1674
(3 votes)

XSS vulnerability in CMS 11 and 12

Introduction

A potential security vulnerability was detected for Optimizely CMS that could affect CMS 11 installations before v11.37.1 and CMS 12 installations before v12.16.0.  

  • In a CMS 11 installation where request validation has been disabled, the vulnerability allows execution of JavaScript included in a manipulated URL. This allows the possibility to run arbitrary JavaScript code in the context of the logged in user.
  • In a CMS 12 installation, the vulnerability allows execution of JavaScript included in a manipulated URL.

Example attack

In CMS 11, when the request validation has been either completely or partially disabled by configuring requestValidationMode in the applications web.config file, harmful requests are allowed to reach the application.

An attacker provides a manipulated URL that includes harmful JavaScript code that a user can interact with. After successful authentication and authorization, the supplied JavaScript is executed in the context of the browser, the web application, and the permissions of the user. The attack is only possible for authenticated users and in installations where request validation is completely or partially disabled.

Risk

Overall, the risk of the vulnerability is low-medium. The attack is possible for only authenticated users and requires user interaction to execute. The issue was fixed in CMS v11.37.1 (CMS-28190) and CMS v12.16.0 (CMS-26236). Mitigation is in place for all DXP service customers.

Remediation

  • If using CMS 11, please update Optimizely CMS to the latest version.
  • If using CMS 12, please update to the latest version.
  • As a general best practice, it is recommended to restrict the number of users with admin privileges.

Questions

Please contact the security engineering team at securityeng@optimizely.com.

Risk definitions

Low – little to no potential impact on Optimizely or customer environments/data. Vulnerability has low exploitability, for example: requirement for local or physical system access, zero reachability to/executability within Optimizely products/code.

Medium – some potential impact on Optimizely or customer environments/data. Vulnerability has medium exploitability, for example: requirement to be located on the same local network as the target, requirement for an individual to be manipulated via social engineering, requirement for user privileges, vulnerability achieves limited access to Optimizely products/code.

High – high potential impact on Optimizely or customer environments/data.  Vulnerability has high exploitability, for example:  achieves high level access to Optimizely products/code, could elevate privileges, could result in a significant data loss or downtime.

Critical – very significant potential impact on Optimizely or customer environments/data.  Vulnerability has very high exploitability, for example: achieves admin/root-level access to Optimizely products/code.  Vulnerability does not require any special authentication credentials/knowledge of Optimizely products/environments. 

Aug 16, 2023

Comments

Please login to comment.
Latest blogs
Microsoft announces Natural language to SQL

Finally, Microsoft launches "Natural language to SQL," after it has been available for several months in Optimizely CMS!

Tomas Hensrud Gulla | May 23, 2024 | Syndicated blog

Five easy ways to start personalizing your content right now

If you clicked on this article, you already know that getting the right message to the right person at the right time helps drive conversions and...

Kara Andersen | May 23, 2024

ExtendedCms.TinyMceEnhancements – serwer side webp support

Today I will introduce another small feature of TinyMceEnhancements plugin. The functionality is used to automatically detect whether a browser...

Grzegorz Wiecheć | May 22, 2024 | Syndicated blog

Azure AI Language– Detect Healthcare Content in Optimizely CMS

In this blog post, I showcase how the Azure AI Language service's Text Analytics for health feature can be used to detect healthcare content within...

Anil Patel | May 22, 2024 | Syndicated blog

Stott Security Version 2 So Far

In December 2023, I unveiled the initial version of Stott Security version 2. Although I typically announce each version I release on LinkedIn and...

Mark Stott | May 22, 2024

Optimizely Data Platform (ODP) Page Scroll Tracking

As with my last post, this isn’t a “getting started with ODP” — to get started with ODP, check out the developer docs,   “Implement the ODP...

Daniel Isaacs | May 22, 2024