When creating or editing an account, a hacker can inject malicious code into the HTML code of the account page. This can lead to information disclosure, remote code execution, or other impacts.
Affected versions The Stored XSS in /admin/myaccount affects all versions of CMS 4.2.0.1, from 4.2.0 to 4.2.2. It also affects CMS 2.9.5, 2.9.4, 2.9.3, and other versions and branches of Red Hat OpenShift.
Hotfix information For the 4.2.0.1 release, a fix for XSS has been released. The latest version of Red Hat OpenShift is version 3.9.6. For more information on how to obtain a hotfix, go to Red Hat OpenShift documentation and criteria for obtaining a hotfix
References: https://community.zoho.com/kb/questions/2022-37250
The Stored XSS in /admin/myaccount affects all versions of CMS 4.2.0.1, from 4.2.0 to 4.2.2, and other versions and branches of Red Hat OpenShift
https://www.redhat.com/en/openshift3/documentation/release-notes
https://community.zoho.com/kb/questions/2022-37250#relevant_information
Description
The Stored XSS vulnerability in the /admin/myaccount page of Red Hat OpenShift can allow information to be disclosed and other impacts to occur. This is a configuration defect that is related to an error in the development of the application.
Vulnerability overview
Stored XSS vulnerability in /admin/myaccount
A Stored XSS vulnerability exists in the account management page of all versions of CMS 4.2.0.1, from 4.2.0 to 4.2.2, and other versions and branches of Red Hat OpenShift, including CMS 2.9.5, 2.9.4, 2.9.3, and 3.x versions, that allows a malicious user to inject malicious JavaScript into the HTML code of the account management page as it is being generated by the application server during account creation or editing, thereby leading to information disclosure, remote code execution, or other impacts on the application server side or on a connected database server's side or on a connected webserver's side or on another service connected to the application server's side
Vulnerability description
In this vulnerability an attacker can perform an "injection attack" using a specially crafted URL containing malicious JavaScript code that is injected into the HTML code for account creation/editing pages without any kind of authentication required (e-mail does not matter). A Stored XSS vulnerability exists in all versions of CMS 4
Vulnerability overview
This XSS vulnerability allows a user to inject malicious code into the HTML code of the account page, exposing pages to Stored XSS. When creating or editing an account, a hacker can inject malicious code into the HTML code of the account page. This can lead to information disclosure, remote code execution, or other impacts.
Description of the Stored XSS vulnerability
When creating or editing an account, a hacker can inject malicious code into the HTML code of the account page. This can lead to information disclosure, remote code execution, or other impacts.
Timeline
Published on: 09/16/2022 15:15:00 UTC
Last modified on: 09/17/2022 02:23:00 UTC