This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XSS Vulnerability on Request Details when Adding Notes to a Request

Symptoms:

A Cross-site scripting (XSS) vulnerability in App Portal 2018 R1 and earlier allows remote attackers to inject arbitrary web script or HTML via the note context parameter. 

Cause

Request validation is disabled on the request details page, and this exposes the XSS vulnerability.  

Solution:

This issue has been resolved in App Portal 2019 R1. Please download the latest version of App Portal 2019 R1 from the PLC download area.  

Workaround: 

This issue can be worked around, by opening the file <install dir>/web/web.confg, and removing the following section from the file:

<location path="RequestDetails.aspx">
    <system.web>
      <pages validateRequest="false" />
      <httpRuntime requestValidationMode="2.0" />
    </system.web>
  </location>

Additional Information: 

This issue has been tracked under issue number IOJ-1906238.
For release notes and resolved issues with App Portal 2019 R1, please visit:
https://helpnet.flexerasoftware.com/appportal/rn2019r1/AppPortalAppBroker2019r1ReleaseNotes.htm#resolve

Related Documents: 

Secunia Research at Flexera has issued an advisory SA88121.
A copy of the advisory is attached to this article. 

 

‎Apr 30, 2019 07:07 AM - edited ‎May 02, 2019 01:02 PM

Preview file
29 KB
Was this article helpful? Yes No
No ratings
0 Kudos
Version history
Last update:
‎May 02, 2019 01:02 PM
Updated by:
Level 7 Flexeran