Northwave has plenty of passionate specialists. Not only during-but also outside of working hours- this passion shows itself. While being stuck at home during the holidays, Thomas, one of the security specialists at the Northwave Redteam, explored Content Management Systems in a search for vulnerabilities to report on.
In this blog, Thomas focused on a system called Bloomreach Experience Manager, previously known as Hippo CMS. In this blog you will find more about the vulnerabilities he found, alongside an advisory on how to tackle the problem.
Bloomreach Experience Manager (brXM) was vulnerable to (CVE-2020-14988) cross-site scripting, (CVE-2020-14989) cross-site request forgery and (CVE-2020-14987) remote code execution. Details were shared with Bloomreach whereafter the CVEs were reserved.
Bloomreach provides an enterprise cloud solution in commerce, improving customer experiences. Customers include the Dutch Government, Dutch Police, Dutch Railways and internationally they also serve well known organizations. On their website they write about powering over 200 billion dollars in digital commerce experiences.
Bloomreach Experience Manager
Bloomreach Experience Manager(brXM) is a Content Management System (CMS), build for developers and marketeers to create or enhance customer experiences. The vulnerabilities were initially found in the brXM 14.1.0 developer trial docker image. To recreate the findings for this post the docker image of brXM 14.2.2 developer trial was used.
Various vulnerabilities were found, this included multiple types of cross-site scripting (XSS), a bypass of the cross-site request forgery (CSRF) protection that was in place. A remote code execution (RCE) was also found that bypasses certain measures in place, however this is only possible with administrator account privileges or by the CSRF combined with the correct account privileges.
Reflected Cross-Site Scripting
The /cms and /cms/console endpoints of the web-application both contain a login portal. Both these login portals are vulnerable to XSS under the condition that you are not already authenticated on that specific portal. If you are logged in on the /cms portal, this attack would still work on the /cms/console portal.