RSS   Vulnerabilities for 'Front office server'   RSS

2019-04-18
 
CVE-2018-17289

CWE-611
 

 
An XML external entity (XXE) vulnerability in Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 allows remote authenticated users to read arbitrary files via crafted XML inside an imported package configuration (.ZIP file) within the Kofax/KFS/Admin/PackageService/package/upload file parameter.

 
 
CVE-2018-17288

CWE-79
 

 
Kofax Front Office Server version 4.1.1.11.0.5212 (both Thin Client and Administration Console) suffers from multiple authenticated stored XSS vulnerabilities via the (1) "Filename" field in /Kofax/KFS/ThinClient/document/upload/ - (Thin Client) or (2) "DeviceName" field in /Kofax/KFS/Admin/DeviceService/device/ - (Administration Console).

 
 
CVE-2018-17287

CWE-200
 

 
In Kofax Front Office Server Administration Console 4.1.1.11.0.5212, some fields, such as passwords, are obfuscated in the front-end, but the cleartext value can be exfiltrated by using the back-end "download" feature, as demonstrated by an mfp.password downloadsettingvalue operation.

 

 >>> Vendor: Kofax 2 Products
Kofax e-transactions sender sendbox
Front office server


Copyright 2019, cxsecurity.com

 

Back to Top