Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2013-009: XSS in CMS "Pages" section

Severity:
Low (?)
Identifier:
SS-2013-009
Versions Affected:
3.0,3.1
Versions Fixed:
3.0.7,3.1.0-rc3
Release Date:
2013-09-24

The "Insert Link" dropdown and "Dependent Pages" list in the "Pages" CMS section are vulnerable to persistent cross-site scripting, through the SiteTree.Title attribute. This form of attack requires a CMS login by a malicious third party, and can lead to executing authenticated requests on behalf of the CMS user victim.