CVE-2021-41555

Name of the Vulnerable Software and Affected Versions ARCHIBUS Web Central versions 21.3.3.815 and earlier

Description The issue occurs in the /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr endpoint because the data received as input from clients is re-included within the HTTP response returned by the application without adequate validation. If HTML code or client-side executable code (e.g., Javascript) is entered as input, the expected execution flow could be altered.

Recommendations For versions 21.3.3.815 and earlier, update to a recent version, such as version 26, to resolve the issue. As a temporary workaround, consider restricting access to the /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr endpoint until a patch is available. Avoid entering HTML code or client-side executable code as input to minimize the risk of exploitation.