CVE-2021-33904

Name of the Vulnerable Software and Affected Versions: Accela Civic Platform versions prior to 21.2

Description: The issue concerns a security problem where the servProvCode parameter in the "security/hostSignon.do" endpoint is vulnerable to XSS. The vendor has noted that there are configurable security flags, and they were unable to reproduce the issue with the available information.

Recommendations: For Accela Civic Platform versions prior to 21.2, consider restricting access to the security/hostSignon.do endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the servProvCode parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.