/
/
/
CVE-2019-7170: Multiple Vulnerabilities discovered in the package Croogo

CVE-2019-7170: Multiple Vulnerabilities discovered in the package Croogo

Vulnerability Reports
February 11, 2019
Profile Icon

Jason Franscisco

Multiple Vulnerabilities discovered in the package Croogo

Loginsoft-2019-1037February 11, 2019

CVE Number

CVE - CVE-2019-7170

CWE Number

CWE - 79

Product Details

Croogo is an open source PHP content management system powered by CakePHP.

URL:https://github.com/croogo/croogo/wiki

Vulnerable Versions

v3.0.5

Vulnerability Details

Before printing the `Title` value on the ‘Vocabulary’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/croogo/croogo/issues/890

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE - CVE-2019-7173

Vulnerability Details

Before printing the `Title` value on the ‘Attachment’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/croogo/croogo/issues/889

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE - CVE-2019-7169

Vulnerability Details

Before printing the `Title` value on the ‘Title’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/croogo/croogo/issues/888

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE - CVE-2019-7171

Vulnerability Details

Before printing the `Title` value on the ‘Blocks page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/croogo/croogo/issues/887

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE - CVE-2019-7168

Vulnerability Details

Before printing the `Blog` value on the ‘Content’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/croogo/croogo/issues/886

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
Timeline

Vendor Disclosure: 2019-01-16

Public Disclosure: 2019-02-11

Credit

Discovered by ACE Team – Loginsoft

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter