Multiple Vulnerabilities in OpenCMS 11.0.2

Researchers:

Paul Ritchie & Sam Moore

As part of our ongoing commitment to Open Source security Pentest Ltd conducted a research project into OpenCMS version 11.0.2. This found ten (10) vulnerabilities that have been summarised in the table below:

CVE CVSS Summary

CVE-2021-42212

4.8 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Persistent XSS allowed “admin” level users to send payloads to any user via messages. Admin level privileges were required for this making exploitation unlikely.
CVE-2021-42209
5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Persistent XSS allowed users with at least “editor” privileges to trigger a payload on the publish screen. Access as an “editor” could be used to exploit this and could gain “admin” level privileges.
CVE-2021-42210
5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Persistent XSS allowed users with at least “editor” privileges to trigger a payload on the sitemap screen. Access as an “editor” could be used to exploit this and could gain “admin” level privileges.
CVE-2021-42213
7.6 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Persistent XSS allowed users with at least “author” privileges to upload HTML files. The file can contain Cross-Site Scripting or Cross Site Request Forgery payloads which will launch from the same origin.
CVE-2021-42211
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
DOM based XSS within admin interface’s “workspace” UI. An unauthenticated remote attacker could exploit this.
CVE-2021-42215
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reflected XSS through the “policy” URL parameter. An unauthenticated remote attacker could exploit this.
CVE-2021-42214
6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
A user without the ability to delete files via the UI could do so using WebDAV. The permissions model was inconsistent across the two channels. A low privileged user could delete the site content to trigger a denial-of-service.
CVE-2021-42206
8.3 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
By exploiting ClickJacking an unauthenticated attacker could obtain admin access. To do so, they would need to entice an “admin” level user to interact with a website while they were authenticated to OpenCMS.
CVE-2021-42208
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
An unvalidated redirect and forward existed. If an authenticated user clicked on a malicious link they were redirected to the exploit site. If the user was unauthenticated they are prompted to authenticate prior to redirection occurring. This existed in the “/system/login/index.html” script via the “requestedResource” parameter.
CVE-2021-42207
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
An unvalidated redirect and forward existed. If an authenticated user clicked on a malicious link they were redirected to the exploit site. If the user was unauthenticated they are prompted to authenticate prior to redirection occurring. This existed in the “/system/login/index.html” script via the “loginRedirect” parameter.

These have been patched in the most recent release (12.0.0). Please update all installations of OpenCMS to the latest levels as soon as possible.

Pentest have provided two additional blog posts which show full proof of concept code to go from unauthenticated to in full control over a vulnerable OpenCMS server:

How can we support you?

Contact our team today to find out how we can help support your organization.