Alfresco is a collection of information management software products for Microsoft Windows and Unix-like operating systems developed by Alfresco Software Inc. using Java technology.
Reflected Cross Site Scripting (XSS) vulnerability exists in Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API, which allows a remote attacker to inject arbitrary JavaScript.
Date: 03 March 2022
Software Link: https://www.alfresco.com
Exploit Author: Chakrit Sangsakul, Pongpol Phaiaroonrut, Thanavit Chongsutakawewong
CVE: CVE-2020-18327
Category: Web Application
- Access to Alfresco Administration Console.
- Navigate to “Node Browser” function in “Support Tools” and querying the Node browser by pressing the “Execute” button.
- Inject JavaScript into “action” parameter.
Discovery and report : 24 June 2019
CVE ID was assigned : 11 Aug 2021
Public : 3 March 2022
- Update Alfresco Community Edition to version v6.2 or later
- Consider complying to the OWASP's XSS prevention guidelines. (https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)