Vulnerability Note VU#537684
Alfresco Enterprise contains multiple cross-site scripting vulnerabilities
Alfresco Enterprise 4.1.6 and possibly earlier versions are vulnerable to multiple cross-site scripting (XSS) vulnerabilities.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A remote attacker may be able to execute arbitrary script in the context of the end-user's browser session. With the exception of the vulnerability in /share/page/task-edit, the attacker must be authenticated.
Alfresco has released hotfix 220.127.116.11 to address this issue. Alternatively, users can upgrade to version 4.1.8 or later. In addition, please consider the following workaround:
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Alfresco||Affected||16 Apr 2014||07 May 2014|
CVSS Metrics (Learn More)
Thanks to Nicolas Verdier from TEHTRI-Security for reporting this vulnerability.
This document was written by Todd Lewellen.
- CVE IDs: CVE-2014-2939
- Date Public: 28 May 2014
- Date First Published: 28 May 2014
- Date Last Updated: 28 May 2014
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.