The developers of the popular ExpressionEngine content management system have patched two serious vulnerabilities in all current versions of the CMS, including an open HTTP redirection bug that could allow an attacker to redirect a victim to a malicious site.
The bugs affect all versions of ExpressionEngine prior to 7.4.11 and Packet Tide, which owns and develops the software, has released fixes for them. In addition to the HTTP redirection flaw, there is also a group of cross-site scripting bugs, one of which could give an attacker admin access to the application. Researchers at Bishop Fox discovered the vulnerabilities and Packet Tide released version 7.4.11 to address them.
“ExpressionEngine is affected by multiple cross-site scripting vulnerabilities that could allow an attacker to execute JavaScript in the browsers of targeted users. Bishop Fox staff demonstrated that an attacker could exploit this issue to create a super admin account in the ExpressionEngine instance by convincing or causing an administrator to view crafted content,” the Bishop Fox advisory says.
“One instance of the issue is a reflected XSS vulnerability that can be exploited by an attacker without credentials for the ExpressionEngine instance. The remaining instances of the issue are stored XSS vulnerabilities that affect the ExpressionEngine control panel.”
ExpressionEngine is a free and open source CMS that is used widely in enterprise environments.
The second vulnerability is the HTTP redirection flaw, which could allow an attacker to bypass the warning dialog that ExpressionEngine would show a user when the user is being redirected to an external site.
“ExpressionEngine includes URL-redirection functionality that displays a warning prompt when redirecting to external URLs. Bishop Fox staff determined that the warning prompt can be bypassed by sending a crafted value for the URL parameter. An attacker could take advantage of this vulnerability to execute convincing phishing attacks against ExpressionEngine users by leveraging the trust that legitimate users have in the instance domain,” the advisory says.
“It is possible to bypass the redirection warning screen by omitting the protocol used.”
Both vulnerabilities are fixed in ExpressionEngine version 7.4.11 and organizations using vulnerable versions should upgrade as soon as is practical.