CVE-2012-5358 – This vulnerability in Ektron CMS allows remote ... (How to Fix)

Q: What is the severity of CVE-2012-5358?

CVE-2012-5358 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Ektron CMS allows remote attackers to read arbitrary files via crafted XSL data due to insecure XSLT configuration. Attackers can bypass authentication, modify viewstate, cause denial of service, or potentially execute other malicious actions. Affects Ektron CMS installations before version 8.02 SP5.

📋 TL;DR

This vulnerability in Ektron CMS allows remote attackers to read arbitrary files via crafted XSL data due to insecure XSLT configuration. Attackers can bypass authentication, modify viewstate, cause denial of service, or potentially execute other malicious actions. Affects Ektron CMS installations before version 8.02 SP5.

💻 Affected Systems

Products:

Ektron Content Management System

Versions: All versions before 8.02 SP5

Operating Systems: Windows (primary), potentially others running Ektron

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations where XSLTCompiledTransform is used with enableDocumentFunction enabled.

📦 What is this software?

Ektron Content Management System by Ektron

View all CVEs affecting Ektron Content Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including arbitrary file read, authentication bypass, potential remote code execution, and full control of the CMS instance.

🟠

Likely Case

Unauthorized file access leading to credential theft, configuration disclosure, and authentication bypass to gain administrative privileges.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for information disclosure from accessible files.

🌐 Internet-Facing: HIGH - Remote attackers can exploit this without authentication via web requests.

🏢 Internal Only: HIGH - Even internal attackers or compromised systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details and proof-of-concept code are available online. Attack requires sending crafted XSL data to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.02 SP5

Vendor Advisory: http://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htm

Restart Required: Yes

Instructions:

1. Backup your Ektron installation and database. 2. Download and install Ektron CMS 8.02 SP5 from official sources. 3. Apply the update following Ektron's upgrade documentation. 4. Restart the application server and verify functionality.

🔧 Temporary Workarounds

Disable document function in XSLT

all

Modify XSLT configuration to set enableDocumentFunction to false in XSLTCompiledTransform usage.

Modify XSLT configuration in code: XsltSettings.EnableDocumentFunction = false

Input validation for XSL data

all

Implement strict input validation and sanitization for all XSL data inputs.

Implement input validation in code to reject suspicious XSL patterns

🧯 If You Can't Patch

Implement strict WAF rules to block requests containing XSL document() function calls
Network segmentation to isolate Ektron servers and restrict access to sensitive file systems

🔍 How to Verify

Check if Vulnerable:

Check Ektron CMS version in administration panel or web.config file. If version is below 8.02 SP5, system is vulnerable.

Check Version:

Check Ektron web.config file for version information or login to Ektron admin panel

Verify Fix Applied:

Verify version is 8.02 SP5 or higher in administration panel. Test XSLT functionality to ensure document() function is disabled.

📡 Detection & Monitoring

Log Indicators:

Unusual XSL file uploads or requests
Multiple failed authentication attempts after XSL requests
Access to sensitive system files via web requests

Network Indicators:

HTTP requests containing XSL document() function calls
Unusual file read patterns from web server

SIEM Query:

source="web_server" AND (uri="*.xsl" OR uri="*.xslt") AND (request_body CONTAINS "document(" OR response_size > 1000000)

📊 Metadata

CVE ID: CVE-2012-5358

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-19

Published: October 30, 2017

Last Updated: April 20, 2025

🔗 References

http://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htm Issue Tracking,Vendor Advisory
https://technet.microsoft.com/library/security/msvr12-016 Issue Tracking,Release Notes,Third Party Advisory
https://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/ Exploit,Issue Tracking,Third Party Advisory
http://documentation.ektron.com/current/ReleaseNotes/Release8/8.02SP5.htm Issue Tracking,Vendor Advisory
https://technet.microsoft.com/library/security/msvr12-016 Issue Tracking,Release Notes,Third Party Advisory
https://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/ Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2012-5358, you might also want to check these: