Malicious Website can Perform Actions Through Fabasoft Cloud or Fabasoft Folio Browser Extension (FSC21815)

Last update: 25 November 2020

ID: FSC21815

Affected Components: Fabasoft Cloud Client, Fabasoft Folio Client

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L, Basic Score: 8.3 (High)

Status: Final

First published: 14.05.2020

CVEs: -

Summary

The Fabasoft Cloud or Fabasoft Folio browser extension uses web messaging to communicate with the Fabasoft Cloud Client or Fabasoft Folio Client. The Fabasoft Cloud Client or Fabasoft Folio Client do not check whether the origin of the messages is a trustworthy site.

Impact

Malicious website can perform actions through Fabasoft Cloud or Fabasoft Folio browser extension and store files in the temp directory of the current user.

Remediation

Fabasoft Cloud

If you do not have the auto-update enabled, update the Fabasoft Cloud Client to its current version. No further action is required for the Fabasoft Cloud Client.

Fabasoft Folio

Update the Fabasoft Folio Client to the version mentioned below. Moreover, it is strongly recommended to restrict the communication with the Fabasoft Folio Client to particular hosts or domains. This can be done by setting an appropriate registry key.

For more information concerning this setting of the Fabasoft Folio Client refer to topic “Security Considerations of the Fabasoft Folio Client Web Browser Integration” in the Whitepaper “Fabasoft Folio Client” (https://help.folio.fabasoft.com/index.php?topic=doc/Fabasoft-Folio-Clien...)

Hotfix Information

Fixed with following versions of the Fabasoft Cloud or Fabasoft Folio Client:

  • Fabasoft Cloud Version 2020 June Release (Version 20.3.1)
  • Fabasoft Folio Client Version 2020 UR 2 (Version 20.1.2)
  • Hotfix for Fabasoft Folio Client Version 2019 UR3
  • Hotfix for Fabasoft Folio Client Version 2017 R1 UR6