Metamorfosec Security Advisory METS-2019-001 Multiple cross-site scripting (XSS) vulnerabilities in ProfileDesign CMS v6.0.2.5 FIRST PUBLISHED: February 16, 2019 VERSION: 1.0 VENDOR: VegaDesign.net PRODUCT: ProfileDesign CMS VERSION AFFECTED: 6.0.2.5 (maybe prior versions are also affected) CVE-ID: CVE-2019-7409 PRODUCT DESCRIPTION: (from official website: https://www.vegadesign.net/?side=omsystemet) ProfileDesign CMS is a web based Content Management System that helps you to update content on your website. All you need are a computer connected to the internet. Everything are done via the browser. Wherever you must be in the world. The solution is currently only awailable in Norwegian and English, but will eventually come in both Swedish and Danish. The solution are modular and allows you to easily decide what features you want. FINDING: Multiple cross-site scripting (XSS) vulnerabilities in ProfileDesign CMS v6.0.2.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page, (2) gbs, (3) side, (4) id, (5) imgid, (6) cat, or (7) orderby parameter. PROOF OF CONCEPT: [DOMAIN_NAME]?side=&page="> [DOMAIN_NAME]?side=&gbs="> [DOMAIN_NAME]?side="> [DOMAIN_NAME]?side=&id="> [DOMAIN_NAME]?side=&imgid=">&cat=&orderby= [DOMAIN_NAME]?side=&imgid=&cat=">&orderby= [DOMAIN_NAME]?side=&imgid=&cat=&orderby="> MITIGATION: Update to v6.0.2.6 or newer ADVISORY TIMELINE: Jan 12, 2019 - First contact to vendor, vendor responded, sent vulnerability details report Jan 13, 2019 - Vendor responded again and will fix the issues as soons as possible, request a CVE-ID Feb 6, 2019 - Received a CVE-ID (CVE-2019-7409, still RESERVED) and inform it to Vendor Feb 9, 2019 - Vendor responded that Changelog/Bugfix page in official website has updated Feb 16, 2019 - Published this advisory (v1.0) and requested to publish CVE-2019-7409 REVISION HISTORY: Version 1.0 (Feb 16, 2019) - First release REFERENCES: https://www.vegadesign.net/?side=pdcmd_endringslogg https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7409 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.