CVE-2019-17116

Name of the Vulnerable Software and Affected Versions WiKID 2FA Enterprise Server versions through 4.2.0-b2047

Description A stored and reflected cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the "/WiKIDAdmin/groups.jsp" API endpoint. The groupName parameter is vulnerable, causing reflected cross-site scripting to occur immediately after a group is created. The malicious script is stored and will be executed again whenever the "/WiKIDAdmin/groups.jsp" endpoint is visited.

Recommendations For WiKID 2FA Enterprise Server versions through 4.2.0-b2047, consider disabling access to the "/WiKIDAdmin/groups.jsp" endpoint until a patch is available, and restrict the use of the groupName parameter to minimize the risk of exploitation.