Meridio Embedded Cross Site Scripting
Meridio Document and Records Management is an enterprise content management system (Enterprise Document and Records Management - eDRM).
Meridio has been identified as being vulnerable to an embedded Cross Site Scripting vulnerability in the ‘Title’ field when uploading a document (name="subGeneralProps:dmpvDocTitle:PROP_W_title") and when creating a container (name="subGeneralProps:dmpvContainerTitle:PROP_W_title") and also within the uploaded document.
Consequently, a malicious user could permanently inject JavaScript into the application. This malicious code could be made publicly accessible for other users of the Meridio application and would be executed within the context of the user's browser accessing the embedded script.
This vulnerability could be exploited in large number of ways; such as session hijacking, key logging or social enginering, the main limitation would be the creativity of the person performing the attack.
It should be noted that for this vulnerability to be exploited an attacker would need to be a user of the application or to have compromised a user account.
Meridio have addressed this vulnerability and implemented a fix in version 4.3 SR1 and higher.
The full security advisory can be found here: [1]
Popularity: 3% [?]
