CVE-2020-9028

Name of the Vulnerable Software and Affected Versions Symmetricom SyncServer S100 version 2.90.70.3 Symmetricom SyncServer S200 version 1.30 Symmetricom SyncServer S250 version 1.25 Symmetricom SyncServer S300 version 2.65.0 Symmetricom SyncServer S350 version 2.80.1

Description The issue allows stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen when creating a new user.

Recommendations For Symmetricom SyncServer S100 version 2.90.70.3, avoid using the newUserName parameter in the affected screen until the issue is resolved. For Symmetricom SyncServer S200 version 1.30, restrict access to the "User Creation, Deletion and Password Maintenance" screen to minimize the risk of exploitation. For Symmetricom SyncServer S250 version 1.25, consider disabling the user creation functionality until a fix is available. For Symmetricom SyncServer S300 version 2.65.0, limit the input for the newUserName parameter to prevent malicious code injection. For Symmetricom SyncServer S350 version 2.80.1, apply configuration changes to validate user input and prevent XSS attacks.