Multiple Vulnerabilities discovered in the package Croogo
Loginsoft-2019-1037
February 11, 2019
CVE Number
CVE – CVE-2019-7170
CWE Number
CWE – 79
Product Details
Croogo is an open source PHP content management system powered by CakePHP.
URL: https://github.com/croogo/croogo/wiki
Vulnerable Versions
v3.0.5
Vulnerability Details
Before printing the `Title` value on the ‘Vocabulary’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/croogo/croogo/issues/890
Mitigations
- Avoid inserting or adding the untrusted input data
- Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
- It is advisable to practice content security policy and adopt the auto escaping template system
- Implement the X-XSS-Protection response header
CVE Number
CVE – CVE-2019-7173
Vulnerability Details
Before printing the `Title` value on the ‘Attachment’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/croogo/croogo/issues/889
Mitigations
- Avoid inserting or adding the untrusted input data
- Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
- It is advisable to practice content security policy and adopt the auto escaping template system
- Implement the X-XSS-Protection response header
CVE Number
CVE – CVE-2019-7169
Vulnerability Details
Before printing the `Title` value on the ‘Title’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/croogo/croogo/issues/888
Mitigations
- Avoid inserting or adding the untrusted input data
- Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
- It is advisable to practice content security policy and adopt the auto escaping template system
- Implement the X-XSS-Protection response header
CVE Number
CVE – CVE-2019-7171
Vulnerability Details
Before printing the `Title` value on the ‘Blocks page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/croogo/croogo/issues/887
Mitigations
- Avoid inserting or adding the untrusted input data
- Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
- It is advisable to practice content security policy and adopt the auto escaping template system
- Implement the X-XSS-Protection response header
CVE Number
CVE – CVE-2019-7168
Vulnerability Details
Before printing the `Blog` value on the ‘Content’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/croogo/croogo/issues/886
Mitigations
- Avoid inserting or adding the untrusted input data
- Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
- It is advisable to practice content security policy and adopt the auto escaping template system
- Implement the X-XSS-Protection response header
Timeline
Vendor Disclosure: 2019-01-16
Public Disclosure: 2019-02-11
Credit
Discovered by ACE Team – Loginsoft