Component Type: Neos
Vulnerability Type: XSS, Arbitrary file upload
Affected Versions: 1.2.0 to 1.2.12 (only XSS) and 2.0.0 to 2.0.3 (XSS and file upload)
Release Date: November 23rd, 2015
Suggested CVSS v2.0: (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:ND/RL:OF/RC:C)
CVE: not assigned
has been discovered that Neos is vulnerable to several XSS attacks.
Through these vulnerabilities, an attacker could tamper with page
rendering, redirect victims to a fake login page, or capture user
credentials (such as cookies). With the potential backdoor upload an
attacker could gain access to the server itself, to an extent mainly
limited by the server setup.
Reflected Cross-Site Scripting (SXSS) with authentication
Both attack vectors require a valid Neos backend user account.
Reflected Cross-Site Scripting (RXSS) without authentication
A non-persistent XSS using parameters passed during plugin execution is possible. If invalid parameters are passed, an error message may be shown (depending on the context Neos runs in and how the parameters are handled) that contains the unescaped parameter value.
Potential backdoor upload
Through an issue with the underlying Flow framework (see the related Flow advisory Flow-SA-2015-001)
any editor with access to the Media Management module can
upload server side script files (when using Neos 2.0.x). If those scripts are executed by the
server when accessed through their public URL, anything not blocked
through other means is possible (information disclosure, placement of
backdoors, data removal, …).
to Neos versions 1.2.13 or 2.0.4 that fix the problems described. Also
update to the latest Flow release to fix the file upload issue (see