Aon’s Cyber Solutions has discovered multiple vulnerabilities affecting CommonSpot CMS v10.6 and earlier. An unauthenticated XML External Entity Injection (XXE) vulnerability along with two authenticated SQL Injection vulnerabilities were discovered by Sean Melia. CVE IDs are pending assignment.
Aon would like to thank PaperThin for working with us as part of our coordinated disclosure process. Patches remediating the vulnerabilities were made available to CommonSpot users in November 2019.
Timeline:
10/28/19 – Initial disclosure to PaperThin
11/12/19 – Issues confirmed and patches developed
11/25/19 – Patches released
01/30/20 – Aon advisory released