CVE-2019-17115

Name of the Vulnerable Software and Affected Versions WiKID 2FA Enterprise Server versions through 4.2.0-b2047

Description The issue allows remote attackers to inject arbitrary web script or HTML via multiple API endpoints, including "/wikid/servlet/com.wikidsystems.server.GetDomainHash" with the H parameter, and several other endpoints with the S parameter or an unspecified parameter a. These endpoints include "/wikid/DomainData", "/wikid/PreRegisterLookup", "/wikid/PreRegister", "/wikid/InitDevice", and several variations of "/wikid/servlet/InitDevice" and "/servlet/com.wikidsystems.server.InitDevice". The injected script or HTML is triggered when "Logs.jsp" is visited, as the rendered message column is retrieved and displayed unsanitized.

Recommendations For WiKID 2FA Enterprise Server versions through 4.2.0-b2047, consider disabling access to the vulnerable API endpoints, such as "/wikid/servlet/com.wikidsystems.server.GetDomainHash", "/wikid/DomainData", "/wikid/PreRegisterLookup", "/wikid/PreRegister", "/wikid/InitDevice", and related "InitDevice" endpoints, until a patch is available. Additionally, restrict the use of the H and S parameters, as well as the unspecified parameter a, in these endpoints to minimize the risk of exploitation. Avoid using the rendered message column in "Logs.jsp" until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.