CVE-2019-20802

Name of the Vulnerable Software and Affected Versions Readdle Documents app versions prior to 6.9.7

Description The application's file-transfer web server improperly displays directory names, leading to Stored XSS, which may be used to steal a user's data. This requires user interaction because there is no known direct way for an attacker to create a crafted directory name on a victim's device. However, a crafted directory name can occur if a victim extracts a ZIP archive that was provided by an attacker.

Recommendations For versions prior to 6.9.7, update to version 6.9.7 or later to resolve the issue. As a temporary workaround, consider avoiding the extraction of ZIP archives from untrusted sources to minimize the risk of exploitation. Restrict access to the file-transfer web server to minimize the risk of Stored XSS attacks.