CVE-2019-17114

Name of the Vulnerable Software and Affected Versions WiKID 2FA Enterprise Server versions through 4.2.0-b2047

Description A stored and reflected cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the "/WiKIDAdmin/userPreregistration.jsp" API endpoint. The preRegistrationData parameter is vulnerable, leading to a reflected cross-site scripting occurrence immediately after a .csv file is uploaded. The malicious script is stored and can be executed again when the List Pre-Registration functionality is used.

Recommendations For versions through 4.2.0-b2047, as a temporary workaround, consider restricting access to the "/WiKIDAdmin/userPreregistration.jsp" API endpoint and the preRegistrationData parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.