CVE-2015-8766: XSS Vulnerabilities in Symphony CMS

Reflected Cross-Site Scripting in Symphony CMS

Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email or (2) username parameter to index.php.

CVE IDCVE-2015-8766

CVSS v3.16.1 Medium

VendorSymphony

CWECWE-79

DisclosedNov 3, 2015

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc.

Vendor: Symphony
Affected Product: Symphony
CVE: CVE-2015-8766
Securin ID: 2015-CSW-08-1001
Status: Fixed
Date: November 3, 2015
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

Issue 1: The POST Request of the variable email_sendmail[from_name] in the preference form is vulnerable to XSS. Similarly, the rest of the variables are also vulnerable.

PoC · Exploitation Steps▲ trigger

01Figure 1: XSS payload is injected in email_sendmail[from_name] variable.02Figure 2: Injected payload was executed in the browser.03Figure 3: XSS payload in email_sendmail[from_address] variable.04Figure 4: Injected payload was executed in the browser.05Figure 5: XSS payload injected in email_smtp[from_name] variable.06Figure 6: Injected payload was executed in the browser.

Note: Similarly, all the other mentioned variables are vulnerable to Cross-Site Scripting (XSS)

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

● User’s session cookie & end-user files disclosure.

● Hijack the user’s session & take over the account.

● Installation of Trojan horse programs.

● Redirection of the user to some other page or site.

● Modification to the presentation of content.

● Malicious script permanently stored on the server.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download and apply the following patch provided by the vendor:

http://www.getsymphony.com/download/

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-8766, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Nov 02, 2015

Vulnerability Discovered in Symphony CMS

Nov 03, 2015

Reported to Vendor

Nov 05, 2015

Vendor Response

Dec 10, 2015

Vendor Released Fixed version

Dec 12, 2015

Public Disclosed

Jan 06, 2016

CVE Assigned

Disclosed 38 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-8766

nvd.nist.gov/vuln/detail/CVE-2015-8766 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected Cross-Site Scripting in Symphony CMS

CVE IDCVE-2015-8766

CVSS v3.16.1 Medium

VendorSymphony

CWECWE-79

DisclosedNov 3, 2015

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: Symphony
Affected Product: Symphony
CVE: CVE-2015-8766
Securin ID: 2015-CSW-08-1001
Status: Fixed
Date: November 3, 2015
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

Issue 1: The POST Request of the variable email_sendmail[from_name] in the preference form is vulnerable to XSS. Similarly, the rest of the variables are also vulnerable.

PoC · Exploitation Steps▲ trigger

Note: Similarly, all the other mentioned variables are vulnerable to Cross-Site Scripting (XSS)

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

● User’s session cookie & end-user files disclosure.

● Hijack the user’s session & take over the account.

● Installation of Trojan horse programs.

● Redirection of the user to some other page or site.

● Modification to the presentation of content.

● Malicious script permanently stored on the server.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download and apply the following patch provided by the vendor:

http://www.getsymphony.com/download/

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-8766, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Nov 02, 2015

Vulnerability Discovered in Symphony CMS

Nov 03, 2015

Reported to Vendor

Nov 05, 2015

Vendor Response

Dec 10, 2015

Vendor Released Fixed version

Dec 12, 2015

Public Disclosed

Jan 06, 2016

CVE Assigned

Disclosed 38 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-8766

nvd.nist.gov/vuln/detail/CVE-2015-8766 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected Cross-Site Scripting in Symphony CMS

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Vulnerability Discovered in Symphony CMS

Reported to Vendor

Vendor Response

Vendor Released Fixed version

Public Disclosed

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2015-8766

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in Symphony CMS

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Vulnerability Discovered in Symphony CMS

Reported to Vendor

Vendor Response

Vendor Released Fixed version

Public Disclosed

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2015-8766

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in Symphony CMS

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Vulnerability Discovered in Symphony CMS

Reported to Vendor

Vendor Response

Vendor Released Fixed version

Public Disclosed

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2015-8766

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in Symphony CMS

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Vulnerability Discovered in Symphony CMS

Reported to Vendor

Vendor Response

Vendor Released Fixed version

Public Disclosed

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2015-8766

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.