Calling all developers! We invite you to provide your input on Feature Experimentation by completing this brief survey.

 

Magnus Rahl
Sep 28, 2023
  2160
(6 votes)

Vulnerability in CMS 12 shell module configuration

Introduction

A potential security vulnerability has been identified in Optimizely CMS 12, triggered by a certain shell module configuration. To be vulnerable the application needs to fulfil these conditions:

  • Use EPiServer.CMS and/or EPiServer.CMS.UI.Core packages of version 12.0.0 or higher.
  • Have a module.config file in the root folder of the deployed application. Module.config files inside separate module directories/zips are not affected, only if the file is in the application root.
  • Have the clientResourceRelativePath attribute present on the <module> element in the module.config file and the clientResourceRelativePath attribute set to an empty string.

If all these conditions are met there is a potential vulnerability allowing an attacker using an authenticated account to access sensitive data in the application.

Risk

The risk of this vulnerability is high. Mitigation is in place for all DXP service customers.

Affected versions

All versions higher than 12.0.0 of EPiServer.CMS.UI.Core. Note that the project might not be referencing this package directly, but rather it being a transitive dependency of for example the EPiServer.CMS package of the same version.

Remediation

The underlying issue has been fixed in CMS-30098. Update to version 12.22.8 or later of the EPiServer.CMS (or EPiServer.CMS.UI or EPiServer.CMS.UI.Core, depending on which package you reference directly) to receive this fix.

As an alternative workaround if you cannot take an update right now, edit the module.config to remove the clientResourceRelativePath completely instead of having it set to an empty string. 

Depending on the setup of the specific shell module and module.config, either of these changes might mean you also need to change the location of files in the paths referenced by the module.config, and/or change how paths to those files are resolved in the application to match.

These module files are related to editor customizations, scripts and stylesheets used in shell modules, so make sure to test such customizations. Please contact support if you run into a scenario you cannot solve.

Questions

Please contact application support at support@optimizely.com

Risk definitions

Low – little to no potential impact on Optimizely or customer environments/data. Vulnerability has low exploitability, for example: requirement for local or physical system access, zero reachability to/executability within Optimizely products/code.

Medium – some potential impact on Optimizely or customer environments/data. Vulnerability has medium exploitability, for example: requirement to be located on the same local network as the target, requirement for an individual to be manipulated via social engineering, requirement for user privileges, vulnerability achieves limited access to Optimizely products/code.

High – high potential impact on Optimizely or customer environments/data.  Vulnerability has high exploitability, for example:  achieves high level access to Optimizely products/code, could elevate privileges, could result in a significant data loss or downtime.

Critical – very significant potential impact on Optimizely or customer environments/data.  Vulnerability has very high exploitability, for example: achieves admin/root-level access to Optimizely products/code.  Vulnerability does not require any special authentication credentials/knowledge of Optimizely products/environments. 

Sep 28, 2023

Comments

Eric
Eric Oct 2, 2023 08:09 AM

Thank you for updates. Could this information also be sent to all tech-people assigned to a client DXP? Like if I have 2 customers and have access to the paas portal I get email with this information as well? Speciellay if the incident is high. I am sadly not spending that much time anymore on world :) 

Magnus Rahl
Magnus Rahl Oct 2, 2023 08:12 AM

Eric, for DXP our CSM:s will communicate directly with contacts of affected projects in the next couple of days if that hasn't happened already.

Ted
Ted Oct 4, 2023 05:52 PM

Thanks for the detailed yet to-the-point description of the vulnerability.

Please login to comment.
Latest blogs
Decimal numbers in Optimizely Graph

Storing prices as decimal numbers on a commerce website and planning to expose them through Optimizely Graph? It might not be as straightforward as...

Damian Smutek | Jan 23, 2025 | Syndicated blog

Find and delete non used media and blocks

On my new quest to play around with Blazor and MudBlazor I'm going back memory lane and porting some previously plugins. So this time up is my plug...

Per Nergård (MVP) | Jan 21, 2025

Optimizely Content Graph on mobile application

CG everywhere! I pull schema from our default index https://cg.optimizely.com/app/graphiql?auth=eBrGunULiC5TziTCtiOLEmov2LijBf30obh0KmhcBlyTktGZ in...

Cuong Nguyen Dinh | Jan 20, 2025

Image Analyzer with AI Assistant for Optimizely

The Smart Image Analyzer is a new feature in the Epicweb AI Assistant for Optimizely CMS that automates the management of image metadata, such as...

Luc Gosso (MVP) | Jan 16, 2025 | Syndicated blog

How to: create Decimal metafield with custom precision

If you are using catalog system, the way of creating metafields are easy – in fact, you can forget about “metafields”, all you should be using is t...

Quan Mai | Jan 16, 2025 | Syndicated blog

Level Up with Optimizely's Newly Relaunched Certifications!

We're thrilled to announce the relaunch of our Optimizely Certifications—designed to help partners, customers, and developers redefine what it mean...

Satata Satez | Jan 14, 2025