An XSS security hole has been found in ocPortal and reported to us yesterday. Additionally there are 2 very similar flaws that additional testing has found.
This hole allows a hacker to potentially interfere with your website by guiding a logged in administrator to a malicious URL.
It is important to apply the attached security patch as soon as possible. This patch is compatible with ocPortal 9 sites. The attached zip contains 3 altered template files, to be uploaded to the themes/default/templates directory.
ocPortal's normal session security will block the most dangerous kinds of attack.
If you have ModSecurity on your server you are also unlikely to be affected.
To prevent this class of XSS vulnerability referring our automated testing tools have been updated. This is how we found the 2 related vulnerabilities in this patch.
Additionally for our next version (v10) we have now implemented a self-updating software firewall so we can automatically roll-out live mitigations for this kind of issue.
Credit for the vulnerability goes to Arjun Basnet from Cyber Security Works Pvt Ltd (Welcome to Cyber Security Works). We appreciate the time taken to find this issue and report it to us.
Security patch for XSS vulnerability