CVE-2021-34823

Name of the Vulnerable Software and Affected Versions: ON24 ScreenShare versions prior to 2.0

Description: The issue allows remote file access via a built-in HTTP server, enabling unauthenticated remote users to retrieve files accessible to the logged-on macOS user. A crafted HTTP request can trigger a code path to download a configuration file from a remote machine over HTTP, which contains an XXE flaw. This flaw allows reading local files and uploading them to remote machines.

Recommendations: For versions prior to 2.0, update to version 2.0 or later to resolve the issue. As a temporary workaround, consider disabling the built-in HTTP server until a patch is available. Restrict access to sensitive files and configuration to minimize the risk of exploitation. Avoid using the HTTP server to download configuration files from untrusted remote machines until the issue is resolved.