CVE-2018-13791

Name of the Vulnerable Software and Affected Versions ABBYY FlexiCapture versions prior to 12 Release 1 Update 7

Description The issue concerns the HTTP API, which allows an attacker to conduct Access Control attacks. This is achieved via the "/FlexiCapture12/Login/Server/SevaUserProfile" API endpoint, specifically through the FlexiCaptureTmsSts2 parameter.

Recommendations For versions prior to 12 Release 1 Update 7, update to version 12 Release 1 Update 7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/FlexiCapture12/Login/Server/SevaUserProfile" API endpoint to minimize the risk of exploitation. Avoid using the FlexiCaptureTmsSts2 parameter in the affected API endpoint until the issue is resolved.