Patryk Bogusz

**Name of the Vulnerable Software and Affected Versions** CloverDX versions prior to 5.7.1 CloverDX versions 5.7.1 through 5.9.0 **Description** A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX allows remote attackers to execute any action as the logged-in user, including script execution. **Recommendations** For versions prior to 5.7.1, update to CloverDX 5.7.1 or later. For versions 5.7.1 through 5.9.0, update to CloverDX 5.10, CloverDX 5.9.1, or CloverDX 5.8.2.

**Name of the Vulnerable Software and Affected Versions** CloverDX Server versions 5.7.0 through 5.9.0 CloverDX versions 5.7.0 through 5.8.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `sessionToken` parameter of multiple methods in the "Simple HTTP API". The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions 5.7.0 through 5.8.1, update to version 5.9.1 or 5.10. For version 5.9.0, update to version 5.9.1 or 5.10. As a temporary workaround, consider restricting access to the `sessionToken` parameter in the Simple HTTP API until a patch is available.