Alfresco Enterprise 4.1.6 and possibly earlier versions are vulnerable to multiple cross-site scripting (XSS) vulnerabilities.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A remote attacker may be able to execute arbitrary script in the context of the end-user's browser session. With the exception of the vulnerability in /share/page/task-edit, the attacker must be authenticated.
Alfresco has released hotfix 220.127.116.11 to address this issue. Alternatively, users can upgrade to version 4.1.8 or later. In addition, please consider the following workaround:
Thanks to Nicolas Verdier from TEHTRI-Security for reporting this vulnerability.
This document was written by Todd Lewellen.
|Date First Published:||2014-05-28|
|Date Last Updated:||2014-05-28 12:35 UTC|