CVE-2020-9353

Name of the Vulnerable Software and Affected Versions SmartClient version 12.0

Description An issue was discovered in the Remote Procedure Call (RPC) loadFile provided by the console functionality. The issue affects the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL, where unauthenticated Local File Inclusion is possible via directory-traversal sequences in the elem XML element in the transaction parameter. The documentation notes that these tools are available to anyone by default and should only be deployed into a trusted environment, or restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server.

Recommendations For SmartClient version 12.0, restrict access to the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL by protecting the tools path with normal authentication and authorization mechanisms on the web server to minimize the risk of exploitation. Consider disabling the console functionality until a patch is available. Avoid using the elem XML element in the transaction parameter in the affected API endpoint until the issue is resolved.