Reflected Cross Site Scripting at First Request (FSC29337)

Last update: 16 September 2021

ID: FSC29337

Affected Components: Fabasoft Folio Webservices, Fabasoft Cloud Webservices

Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, Basic Score: 7.3

Status: Final

First published: 28.08.2021

CVEs: -

Summary

By passing a malicious content in a parameter to the first request in the Fabasoft Folio web client, an error will be returned that reflects this content. The content type of the response is not interpreted correctly and the malicious content is injected on the web browser client.

Impact

An attacker may send a link to a user containing the malicious content. If the user opens the link in the web browser, code may be executed in the current users’ context.

Remediation

The parameter values are not part of the error message anymore.

Fabasoft Cloud

A hotfix was applied in the Fabasoft Cloud at 16. August 2021.

Fabasoft Folio / Fabasoft eGov-Suite

A hotfix is provided for all supported Fabasoft Folio / Fabasoft eGov-Suite versions. It is recommended to install this hotfix.

Hotfix Information (Fabasoft Folio)

Fixed with following versions of Fabasoft Folio:

  • Fabasoft Folio Version 2021 Update Rollup 2 (21.1.2)

A hotfix is provided for the following Fabasoft Folio versions:

  • Fabasoft Folio Version 2021 July Release (21.7.0)
  • Fabasoft Folio Version 2021 Update Rollup 1 (21.1.1)
  • Fabasoft Folio Version 2020 Update Rollup 5 (20.1.5)
  • Fabasoft Folio Version 2020 Update Rollup 4 (20.1.4)
  • Fabasoft Folio Version 2019 Update Rollup 3 (19.2.3)
  • Fabasoft Folio Version 2017 R1 Update Rollup 7 (17.4.7)
  • Fabasoft Folio Version 2017 R1 Update Rollup 6 (17.4.6)
  • and all major releases and Update Rollups above the mentioned versions.

Hotfix Information (Fabasoft eGov-Suite)

Fixed with following versions of Fabasoft eGov-Suite:

  • Fabasoft eGov-Suite 2021 Update Rollup 2 (21.1.2)

A hotfix is provided for the following Fabasoft eGov-Suite versions:

  • Fabasoft eGov-Suite 2021 July Release (21.7.0)
  • Fabasoft eGov-Suite 2021 Update Rollup 1 (21.1.1)
  • Fabasoft eGov-Suite 2020 Update Rollup 5 (20.1.5)
  • Fabasoft eGov-Suite 2020 Update Rollup 4 (20.1.4)
  • Fabasoft eGov-Suite 2019 Update Rollup 3 (19.2.3)