Ektron CMS unauthenticated code execution and Local File Read

Description
  • The version of Ektron CMS is vulnerable to multiple security vulnerabilities, such as Unauthenticated code execution and Local File Read. <br/><br/> <strong>1. CVE-5357 - Unauthenticated code execution in the context of web server</strong><br/> The root cause of this is that Ektron processed user-controlled XSL from a page that required no auth. They used the XslCompiledTransform class with enablescript set to true. This scripting allows the user to execute code.<br/><br/> <strong>2. CVE-5358 Local File Read</strong><br/> Ektron had configured the xsl with enableDocumentFunction set to true. This vulnerability allows an unauthenticated attacker to read arbitrary files, such as web.config and machine.config. This would allow an attacker to perform several attacks, like bypassing authentication, modifying viewstate, bringing down the server, etc.<br/><br/>
Remediation
  • Upgrade to latest version of Ektron CMS.
References