Affected Components: Fabasoft Folio Client with Fabasoft eGov-Suite
Severity: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N, Basic Score: 4,2 (Medium)
First published: 23.11.2020
Running the mail-merge process from within Fabasoft eGov-Suite (that is processed by the locally installed Folio Client), and the user opens other Word documents during mail-merge processing, the wrong content could be applied as mail-merge result.
In the case that the user opens a Word document beneath the mail-merge process, the Folio Client wrongly assumes that the opened document is the result of the mail-merge. The document with wrong content is assigned to the receipient of the mail-merge, and in consequence may be sent to a receipient of the mail-merge.
The wrongly used content may include personally identifiable or confidential information.
Fabasoft has fixed the issue. A hotfix is available for Fabasoft Folio versions listed in the hotfix section.
The fix requires to update the Fabasoft Folio Client on the client machines. No update of other services is required.
As long as the Fabasoft Folio Client was not updated to the build numbers mentioned below, recommend your users to not open any other Microsoft Word documents as long as the progress bar of the mail-merge is visible.
Fabasoft has fixed this issue in the following Fabasoft Folio / Fabasoft eGov-Suite versions:
- Fabasoft Folio 2021 (from Folio Client version 184.108.40.206)
- Fabasoft Folio 2020 Update Rollup 4 (from Folio Client version 220.127.116.11)
- Fabasoft Folio 2019 Update Rollup 3 (from Folio Client version 18.104.22.168)
- Fabasoft Folio 2017 R1 (from Kit 22.214.171.124 / from Folio Client version 126.96.36.199)
- Fabasoft Folio 2017 R1 UR7 (from Folio Client version 188.8.131.52)
- Fabasoft Folio 2016 Update Rollup 7 (from Kit 184.108.40.206 / from Folio Client version 220.127.116.11)
- and all major releases and Update Rollups above the mentioned versions.