CVE-2018-17288

Name of the Vulnerable Software and Affected Versions Kofax Front Office Server version 4.1.1.11.0.5212

Description The issue concerns multiple authenticated stored XSS vulnerabilities. These can be exploited via the "Filename" field in the "/Kofax/KFS/ThinClient/document/upload/" endpoint for the Thin Client, or the "DeviceName" field in the "/Kofax/KFS/Admin/DeviceService/device/" endpoint for the Administration Console.

Recommendations For version 4.1.1.11.0.5212, consider disabling the upload functionality in the Thin Client and restricting access to the DeviceService in the Administration Console until a patch is available. Avoid using the "Filename" and "DeviceName" fields in the respective endpoints until the issue is resolved.