SiteVision Insufficient Module Access Control
Attackers may inject non-authorised modules when editing pages using a low-privilege account, leading to impacts ranging from Cross-Site Scripting to Remote Code Execution.
SiteVision AB is a Swedish product company focused on developing the portal and web publishing platform SiteVision.
All versions of SiteVision 4 until 4.5.6.
All versions of SiteVision 5 until 5.1.1.
Earlier major versions are assumed to be vulnerable.
This vulnerability allows remote code execution as described in CVE-2019-12733.
Modules are basic building blocks in SiteVision pages and templates; they can feature display content such as headings and paragraphs, social functions and commenting, raw HTML, or server-side scripts.
The SiteVision application does not sufficiently assert whether or not the current user is authorised to add a specific module type to the current page, allowing attackers with low-privilege to add hostile content.
This can trivially be reproduced by adding a paragraph text module, and changing “text” to “html” (or any other type) in the outgoing HTTP request. The application does not check whether or not the user is authorised to add the requested module; it relies on the fact that the user interface does not expose a button for it.
Reproduced on SiteVision 4 and 5; the following steps applies to SiteVision 5:
- Install SiteVision and either create or import a new site.
- Set up and create an Editor (“Redaktör”) user.
- Log on as the new low-privilege user.
- Create a new page and note how only basic modules are available.
- Insert a text module.
Re-send the HTTP request generated in step #5, but change the value of portletType from “text” to “html”. The following is the resulting request for our demo environment:
- Under “Other” check “Show in edit mode”.
- Press “OK”.
Vulnerability Disclosure Timeline
2019-06-03 - Disclosed to vendor
2019-06-04 - Vendor confirms vulnerability
2019-09-26 - Vendor issues patches
2019-12-04 - Public disclosure