Ramon Pinuaga Cascales

Name of the Vulnerable Software and Affected Versions: Vignette StoryServer versions 4 and 5 Vignette V/5 and V/6 with the SSI EXEC feature enabled Description: The issue allows remote attackers to execute arbitrary code via a text variable to a Vignette Application that is later displayed. This is possible when the SSI EXEC feature is enabled. Recommendations: For Vignette StoryServer versions 4 and 5, consider disabling the SSI EXEC feature to prevent exploitation. For Vignette V/5 and V/6, restrict the use of the SSI EXEC feature until a fix is available.

Name of the Vulnerable Software and Affected Versions: Vignette StoryServer versions 4 and 5 Vignette V/5 Description: The issue allows remote attackers to perform unauthorized SELECT queries. This can be achieved by setting the `vgn creds` cookie to an arbitrary value and directly accessing the save template. Recommendations: For Vignette StoryServer versions 4 and 5, consider restricting access to the save template to prevent unauthorized SELECT queries. For Vignette V/5, restrict access to the save template to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Vignette StoryServer and Vignette V/5 Description: The issue allows remote attackers to obtain sensitive information by making a request for the "/vgn/style" template, which is an API endpoint. Recommendations: For Vignette StoryServer and Vignette V/5, consider restricting access to the "/vgn/style" template to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Vignette StoryServer version 5 Vignette V/5 Description: The issue allows remote attackers to identify valid usernames via brute force attacks by exploiting the default login template (/vgn/login) that generates different responses whether a user exists or not. Recommendations: For Vignette StoryServer version 5 and Vignette V/5, consider modifying the default login template to prevent differentiation in responses for existing and non-existing users. As a temporary workaround, restrict access to the /vgn/login endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Vignette StoryServer version 5 Vignette V/5 Description: The issue allows remote attackers to read and modify license information and cause a denial of service by directly accessing the "/vgn/license" template. Recommendations: For Vignette StoryServer version 5, restrict access to the "/vgn/license" template to prevent unauthorized modifications and denial of service attacks. For Vignette V/5, restrict access to the "/vgn/license" template to prevent unauthorized modifications and denial of service attacks.

Name of the Vulnerable Software and Affected Versions: Vignette StoryServer versions 4 and 5 Vignette V/5 and V/6 Description: The issue allows remote attackers to insert arbitrary HTML and script via text variables. This can be demonstrated using the `errInfo` parameter of the default login template, such as "/api/v1/login" or similar endpoints. The vulnerability enables attackers to execute malicious scripts on the client-side. Recommendations: For Vignette StoryServer versions 4 and 5, and Vignette V/5 and V/6, consider restricting access to the `errInfo` parameter in the default login template as a temporary workaround until a patch is available. Avoid using the `errInfo` parameter in affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Vignette StoryServer version 5 Vignette V/6 Description: The issue allows remote attackers to execute arbitrary TCL code. This can be achieved via an HTTP query or cookie that is processed in the NEEDS command, or an HTTP Referrer that is processed in the VALID PATHS command. Recommendations: For Vignette StoryServer version 5, consider restricting access to the NEEDS command and validating all HTTP queries and cookies to prevent arbitrary TCL code execution. For Vignette V/6, restrict access to the VALID PATHS command and validate all HTTP Referrers to minimize the risk of exploitation.