SYNC-2021-072301 - JavaScript Injection Vulnerability in WebHelp Output
Severity: Medium2021-08-25
Abstract
There is a JavaScript injection vulnerability in WebHelp output. Using XSS attack, an attacker may inject Javascript code by typing specific expression in search field. This exploit requires a user to be tricked into executing malicious code, by searching for specific text.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML WebHelp 23.1 and older versions | Medium | Oxygen XML WebHelp 23.1
build 2021090310 Oxygen XML WebHelp 22.1 build 2021082006 |
Oxygen Publishing Engine 23.1 and older versions | Medium | Oxygen Publishing Engine 23.1 build
2021082101 Oxygen Publishing Engine 22.1 build 2021082009 |
Oxygen XML Editor 23.1 and older versions | Medium | Oxygen XML Editor 23.1
build 2021082307 Oxygen XML Editor 22.1 build 2021082013 |
Oxygen XML Developer 23.1 and older versions | Medium | Oxygen XML Developer
23.1 build 2021082307 Oxygen XML Developer 22.1 build 2021082013 |
Oxygen XML Author 23.1 and older versions | Medium | Oxygen XML Author 23.1
build 2021082307 Oxygen XML Author 22.1 build 2021082013 |
Detail
SYNC-2021-072301
Severity: Medium
CVSS Score: 5.5
Oxygen XML WebHelp output is vulnerable to cross-site scripting. This vulnerability allows users to inject arbitrary JavaScript code in the WebHelp output thus altering the intended functionality.
To fix this vulnerability, you need to:
- Update your products to a non-vulnerable version.
- Replace the WebHelp outputs that were previously generated using one of the affected products with freshly generated ones.
The vulnerability has been fixed in version 22.1 starting with build 2021082013 and version 23.1 starting with build 2021082307.