This is caused by a restriction in the client that prevents the team from being created if the remote user does not have admin rights. There is currently no exploit known, and the vulnerability does not currently affect most installations of Pexip, as it requires having remote users with admin rights on the target systems. Pexip Infinity 27.x before 27.3 has XSS due to Injection. The client allows users to upload files from the file manager, which can be used to deliver cross-site scripting attacks. The injection occurs when the client does not sufficiently sanitize uploaded files before displaying them to the user.

There currently is no known attack vector for this issue. Pexip Infinity 27.x before 27.3 is vulnerable to SQL Injection. The client allows users to edit messages, which can be used to deliver SQL injection attacks. The injection occurs when the client does not sufficiently sanitize user-submitted data before displaying it to the user. Pexip Infinity 27.x before 27.3 is vulnerable to Remote Code Execution due to a Persistent XSS Vulnerability. The client allows users to create and edit team settings, which can be used to deliver XSS attacks that result in code injection. The injection occurs when the client does not sufficiently sanitize user-submitted data before displaying it to the user. Pexip Infinity 27.x before 27.3 is vulnerable to Remote Code Execution due to a Persistent XSS V

Pexip Infinity Has Cross Site Scripting Vulnerabilities

Pexip Infinity 27.x before 27.3 has a Cross-Site Scripting Vulnerability due to Injection. The client allows users to upload files from the file manager, which can be used to deliver cross-site scripting attacks. The injection occurs when the client does not sufficiently sanitize uploaded files before displaying them to the user.

Pexip Infinity 27.x before 27.3 SQL Injection

The client allows users to edit messages. The injection occurs when the client does not sufficiently sanitize user-submitted data before displaying it to the user.

Pexip Infinity 27.4 (Current)

Pexip Infinity 27.4 (Current) is no longer vulnerable to Remote Code Execution due to a Persistent XSS Vulnerability. The client allows users to create and edit team settings, which can be used to deliver XSS attacks that result in code injection. The injection occurs when the client does not sufficiently sanitize user-submitted data before displaying it to the user. Pexip Infinity 27.4 (Current) is no longer vulnerable to SQL Injection. The client allows users to edit messages, which can be used to deliver SQL injection attacks. The injection occurs when the client does not sufficiently sanitize user-submitted data before displaying it to the user.

How to stay secure

1. Ensure that your Pexip Infinity server is patched with the latest release of Pexip Infinity.
2. Ensure that no servers are configured to allow for remote connections from unauthenticated users.
3. Ensure that at least one or more users on the server have administrator rights.

Timeline

Published on: 07/17/2022 21:15:00 UTC
Last modified on: 07/18/2022 13:39:00 UTC

References