SYNC-2021-072301 - JavaScript Injection Vulnerability in WebHelp Output

Severity: Medium2021-08-25

Security Advisories

Abstract

There is a JavaScript injection vulnerability in WebHelp output. Using XSS attack, an attacker may inject Javascript code by typing specific expression in search field. This exploit requires a user to be tricked into executing malicious code, by searching for specific text.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML WebHelp 23.1 and older versionsMedium Oxygen XML WebHelp 23.1 build 2021090310
Oxygen XML WebHelp 22.1 build 2021082006
Oxygen Publishing Engine 23.1 and older versionsMedium Oxygen Publishing Engine 23.1 build 2021082101
Oxygen Publishing Engine 22.1 build 2021082009
Oxygen XML Editor 23.1 and older versionsMedium Oxygen XML Editor 23.1 build 2021082307
Oxygen XML Editor 22.1 build 2021082013
Oxygen XML Developer 23.1 and older versionsMedium Oxygen XML Developer 23.1 build 2021082307
Oxygen XML Developer 22.1 build 2021082013
Oxygen XML Author 23.1 and older versionsMedium Oxygen XML Author 23.1 build 2021082307
Oxygen XML Author 22.1 build 2021082013

Mitigation

None

Detail

SYNC-2021-072301

Severity: Medium

CVSS Score: 5.5

Oxygen XML WebHelp output is vulnerable to cross-site scripting. This vulnerability allows users to inject arbitrary JavaScript code in the WebHelp output thus altering the intended functionality.

To fix this vulnerability, you need to:

  1. Update your products to a non-vulnerable version.
  2. Replace the WebHelp outputs that were previously generated using one of the affected products with freshly generated ones.

The vulnerability has been fixed in version 22.1 starting with build 2021082013 and version 23.1 starting with build 2021082307.

Revision History

2022-07-13 CVE-2021-46827 CVE ID has been assigned for this vulnerability.

List of Security Advisories