CVE-2023-46596
Improper input validation in FireFlow’s VisualFlow workflow editor
| Published | 2024-02-15 |
| Impact | Medium |
| Base CVSS Score | 5.1 |
| Product | AlgoSec FireFlow |
| Affected Versions |
A32.20 (up to build b590) A32.50 (up to build b420) A32.60 (up to build 240) |
| Fixed in Version |
A32.20 (b600 and above) A32.50 (b430 and above) A32.60 (250 and above) |
| Finder | Michał Bogdanowicz from Nordea Bank ABP |
Description
AlgoSec FireFlow VisualFlow workflow editor allows saving special html characters in Name, Description and Configuration File
fields of a workflow.
This allow an attacker to initiate an XSS attack by injecting malicious executable scripts into the application's code.
Issues addressed as part of this vulnerability
-
Validation is added to Name, Description and Configuration File fields of the FireFlow VisualFlow workflow editor.
-
All data entered by users is treated as untrusted and is validated before utilized by the application.
Solution
Upgrade ASMS to the fixed build as validation is added to affected fields of AlgoSec FireFlow VisualFlow workflow editor.
References
-
CVE-2023-46596 in cve.org