CVE-2013-4624

Name of the Vulnerable Software and Affected Versions Jahia xCM version 6.6.1.0 before hotfix 7

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The injection can occur via several parameters, including the site parameter to the "engines/manager.jsp" endpoint, the searchString parameter to the "administration/" endpoint in a search action, and the username, firstName, lastName, email, or organization fields to the "administration/" endpoint in a users action.

Recommendations For Jahia xCM version 6.6.1.0 before hotfix 7, apply hotfix 7 to resolve the issue. As a temporary workaround, consider restricting access to the "engines/manager.jsp" and "administration/" endpoints until the hotfix is applied. Additionally, avoid using the vulnerable parameters site, searchString, username, firstName, lastName, email, and organization in the respective actions until the issue is resolved.