CVE-2021-31537

Name of the Vulnerable Software and Affected Versions SIS SIS-REWE Go versions prior to 7.7 SP17

Description The issue allows for XSS attacks. It affects the 'rewe/prod/web/index.php' endpoint, with vulnerable parameters being config, version, win, db, pwd, and user. Additionally, the '/rewe/prod/web/rewe go check.php' endpoint is affected, with version and all other parameters being vulnerable.

Recommendations For versions prior to 7.7 SP17, update to version 7.7 SP17 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'rewe/prod/web/index.php' and '/rewe/prod/web/rewe go check.php' endpoints until the update is applied. Avoid using the vulnerable parameters config, version, win, db, pwd, and user in the 'rewe/prod/web/index.php' endpoint and the version parameter in the '/rewe/prod/web/rewe go check.php' endpoint until the issue is resolved.