In vulnerable versions, when the administrator saves a new information document, the system will automatically generate and save a link to the new information document. If the administrator has a system that is not updated to version 19.02, an attacker can exploit this vulnerability to inject malicious code into a user’s browser and steal sensitive information. In some cases, this could be done without the knowledge of the user. An attacker could exploit this vulnerability to conduct a phishing attack or steal data. ------------- XSS vulnerability in Yordam Library Information Document Automation 19.02 Before version 19.02, the system does not validate user-entered data. If an attacker sends user-entered data that contains malicious code, the system will execute the code.
Prerequisites
- The system must be on version 19.02 or later of Yordam Library Information Document Automation
- The user must have at least one information document saved in the system
- An attacker must send an HTTP request to the vulnerable page with a malicious payload in the body (such as a JavaScript payload)
- XSS vulnerability in Yordam Library Information Document Automation 19.02
Fix for CVE-2021-45476
The system must be updated to version 19.02 or later to prevent XSS vulnerabilities.
Vulnerability description
A vulnerability exists in the Yordam Library Information Document Automation (YORDAM) version 19.02 that is not correctly filtered before being saved to a database, allowing an attacker to inject malicious code into a user’s browser and steal sensitive information.
An attacker can exploit this vulnerability to conduct a phishing attack or steal data. ------------- XSS vulnerability in Yordam Library Information Document Automation 19.02 Before version 19.02, the system does not validate user-entered data. If an attacker sends user-entered data that contains malicious code, the system will execute the code.
Vulnerability overview
The vulnerability allows an attacker to exploit the system and take control of a user’s browser. An attacker can use this to steal sensitive information, or conduct phishing attacks. This vulnerability is found in versions of Yordam Library Information Document Automation 19.02 and earlier, but is not present in later versions.
Timeline
Published on: 10/27/2022 10:15:00 UTC
Last modified on: 10/28/2022 17:34:00 UTC