CVE-2019-4409

Name of the Vulnerable Software and Affected Versions HCL Traveler versions 9.x and earlier

Description The issue concerns a cross-site scripting (XSS) vulnerability. Specifically, on the Problem Report page of the Traveler servlet pages, there is a field for specifying a file attachment to provide additional problem details. If an invalid file name is entered and the error message returned includes the file name without proper escaping, it could expose an XSS vulnerability.

Recommendations For HCL Traveler versions 9.x and earlier, ensure that file names entered for attachments on the Problem Report page are properly escaped in the returned error page to prevent XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.