Cross-Site Scripting (XSS) vulnerability on WideStand CMS of Acilia

Posted date 02/08/2023
Identificador

INCIBE-2023-0318

Importance
3 - Medium
Affected Resources

Widestand CMS, versions 5.3.5 and prior.

Description

INCIBE has coordinated the publication of a vulnerability affecting WideStand CMS, a professional CMS solution developed by Acilia y based on Symfony framework, which has been discovered by Ángel Heredia Pérez, of Telefónica Tech. 

The following code has been assigned to this vulnerability:

CVE-2023-4090:

  • CVSS v3.1 base score: 5.4.
  • CVSS vector string: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N.
  • Vulnerability type: CWE-79: CWE-79: improper neutralization of input during web page generation (Cross-site Scripting).
Solution

There is no reported solution at this time.

Detail

CVE-2023-4090: Cross-site Scripting (XSS) reflected vulnerability on WideStand until 5.3.5 version, which generates one of the meta tags directly using the content of the queried URL, which would allow an attacker to inject HTML/Javascript code into the response.