CVE-2018-17289

Name of the Vulnerable Software and Affected Versions Kofax Front Office Server Administration Console version 4.1.1.11.0.5212

Description A vulnerability exists that allows remote authenticated users to read arbitrary files. This is achieved by crafting XML inside an imported package configuration (.ZIP file) within the "Kofax/KFS/Admin/PackageService/package/upload" file parameter.

Recommendations For version 4.1.1.11.0.5212, as a temporary workaround, consider restricting access to the package upload functionality to minimize the risk of exploitation. Avoid using the package/upload parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.