PT-2013-75: Cross-Site Scripting in Nuxeo Platform Vulnerable softwareNuxeo Platform Version: 5.5.0, 5.6.0, 5.8.0, 5.9.0 and earlierLink: http://www.nuxeo.com/Severity levelSeverity level: Medium Impact: Cross-Site Scripting Access Vector: Remote CVSS v2: Base Score: 4.3 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)CVE: not assignedSoftware descriptionNuxeo Platform is a web content management system.Vulnerability descriptionThe specialists of the Positive Research center have detected a Cross-Site Scripting vulnerability in Nuxeo Platform.Cross-site scripting in the login.jsp page allows remote attackers to inject arbitrary HTML tags (including JavaScript scripts, etc.) to a page processed by user's browser.How to fix Update your software up to the latest version.Advisory status 12.12.2013 - Vendor gets vulnerability details 12.12.2013 - Vendor releases fixed version and details 26.12.2014 - Public disclosureCreditsThe vulnerability was detected by using Positive Technologies Application Inspector, the application security testing systemReferenceshttp://en.securitylab.ru/lab/PT-2013-75 https://jira.nuxeo.com/browse/NXP-13393 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/