By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Accept
Green Plus icon
Home
/
Research
/
Zero Day Discovery
/
CVE-2019-7170: Multiple Vulnerabilities discovered in the package Croogo

CVE-2019-7170: Multiple Vulnerabilities discovered in the package Croogo

Vulnerability Reports
February 11, 2019
Profile Icon

Jason Franscisco

Multiple Vulnerabilities discovered in the package Croogo

Loginsoft-2019-1037February 11, 2019

CVE Number

CVE - CVE-2019-7170

CWE Number

CWE - 79

Product Details

Croogo is an open source PHP content management system powered by CakePHP.

URL:https://github.com/croogo/croogo/wiki

Vulnerable Versions

v3.0.5

Vulnerability Details

Before printing the `Title` value on the ‘Vocabulary’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/croogo/croogo/issues/890

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE - CVE-2019-7173

Vulnerability Details

Before printing the `Title` value on the ‘Attachment’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/croogo/croogo/issues/889

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE - CVE-2019-7169

Vulnerability Details

Before printing the `Title` value on the ‘Title’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/croogo/croogo/issues/888

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE - CVE-2019-7171

Vulnerability Details

Before printing the `Title` value on the ‘Blocks page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/croogo/croogo/issues/887

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE - CVE-2019-7168

Vulnerability Details

Before printing the `Blog` value on the ‘Content’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/croogo/croogo/issues/886

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
Timeline

Vendor Disclosure: 2019-01-16

Public Disclosure: 2019-02-11

Credit

Discovered by ACE Team – Loginsoft

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter

Cybersecurity Solutions
Vulnerability IntelligenceSecurity & Threat Intelligence IntegrationsVulnerability & Configuration ManagementOSS - Software Composition AnalysisOSS - Dependancy DefenceOSS - Zero-Day DiscoveryThreat IntelligenceExternal Attack Surface DiscoveryCloud Security Posture ManagementCloud Workload Protection
IT Solutions
Data Science & AISoftware Development  & SupportQA AutomationStaff Augmentation
Platforms
LOVICytellite
Company
BlogsReportsAbout usCareers
Research
Research-as-a -ServiceZero-Day Discovery
1-703-956-7410info@loginsoft.com
© 2024 - Copyright
Privacy policy