CVE-2019-17120

Name of the Vulnerable Software and Affected Versions WiKID 2FA Enterprise Server versions through 4.2.0-b2047

Description A stored and reflected cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the "/WiKIDAdmin/adm usrs.jsp" API endpoint. The usr parameter is vulnerable, with the reflected cross-site scripting occurring immediately after a user is created. The malicious script is stored and will be executed whenever the "/WiKIDAdmin/adm usrs.jsp" endpoint is visited.

Recommendations For WiKID 2FA Enterprise Server versions through 4.2.0-b2047, consider disabling access to the "/WiKIDAdmin/adm usrs.jsp" endpoint until a fix is available, and restrict the use of the usr parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.