Malicious Website can Perform Actions Through Fabasoft Cloud or Fabasoft Folio Browser Extension (FSC21815)
ID: FSC21815
Affected Components: Fabasoft Cloud Client, Fabasoft Folio Client
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L, Basic Score: 8.3 (High)
Status: Final
First published: 14.05.2020
CVEs: -
Summary
The Fabasoft Cloud or Fabasoft Folio browser extension uses web messaging to communicate with the Fabasoft Cloud Client or Fabasoft Folio Client. The Fabasoft Cloud Client or Fabasoft Folio Client do not check whether the origin of the messages is a trustworthy site.
Impact
Malicious website can perform actions through Fabasoft Cloud or Fabasoft Folio browser extension and store files in the temp directory of the current user.
Remediation
Fabasoft Cloud
If you do not have the auto-update enabled, update the Fabasoft Cloud Client to its current version. No further action is required for the Fabasoft Cloud Client.
Fabasoft Folio
Update the Fabasoft Folio Client to the version mentioned below. Moreover, it is strongly recommended to restrict the communication with the Fabasoft Folio Client to particular hosts or domains. This can be done by setting an appropriate registry key.
For more information concerning this setting of the Fabasoft Folio Client refer to topic “Security Considerations of the Fabasoft Folio Client Web Browser Integration” in the Whitepaper “Fabasoft Folio Client” (https://help.folio.fabasoft.com/index.php?topic=doc/Fabasoft-Folio-Clien...)
Hotfix Information
Fixed with following versions of the Fabasoft Cloud or Fabasoft Folio Client:
- Fabasoft Cloud Version 2020 June Release (Version 20.3.1)
- Fabasoft Folio Client Version 2020 UR 2 (Version 20.1.2)
- Hotfix for Fabasoft Folio Client Version 2019 UR3
- Hotfix for Fabasoft Folio Client Version 2017 R1 UR6