CVE-2020-9351

Name of the Vulnerable Software and Affected Versions SmartClient version 12.0

Description An issue was discovered in SmartClient where an unauthenticated attacker can make a POST request to "/tools/developerConsoleOperations.jsp" or "/isomorphic/IDACall" with malformed XML data in the transaction parameter. The server replies with a verbose error showing the absolute path of the application. It is noted that these tools are available to anyone by default and should only be deployed into a trusted environment, or restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server.

Recommendations For SmartClient version 12.0, restrict access to the "/tools/developerConsoleOperations.jsp" and "/isomorphic/IDACall" endpoints by protecting the tools path with normal authentication and authorization mechanisms on the web server to minimize the risk of exploitation. Consider temporarily disabling these endpoints until a more permanent solution is available.