Name of the Vulnerable Software and Affected Versions: Neos versions 2.0.x

Description: The issue allows for several XSS attacks, enabling an attacker to tamper with page rendering, redirect victims to a fake login page, or capture user credentials. An attacker could also gain access to the server itself, mainly limited by the server setup. There are two types of Reflected Cross-Site Scripting (XSS) attacks: one that requires authentication and another that does not. The authenticated attack can be performed by a Neos backend user with permission to modify content or profile information, injecting JavaScript instructions that will be executed by the browser or an administrator. The non-authenticated attack involves passing invalid parameters during plugin execution, potentially showing an error message with unescaped parameter values. Additionally, there is a potential backdoor upload issue related to the Flow framework, allowing editors with access to the Media Management module to upload server-side script files.

Recommendations: For Neos version 2.0.x, consider disabling the nodetype or restricting access to the Media Management module to minimize the risk of exploitation. As a temporary workaround, restrict access to the vulnerable parameters and modules until a patch is available. Avoid using the parameters related to user profile information (such as Title, First Name, Last name, Middle Name, Other Name) in the affected areas until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.