CVE-2020-13639

Name of the Vulnerable Software and Affected Versions OutSystems versions prior to 10.0.1005.2 OutSystems versions prior to 11.7.0 LifeTime Management Console OutSystems versions prior to 11.9.0 Platform Server

Description A stored XSS issue was discovered in the ECT Provider, affecting generated applications. It allows an unauthenticated remote attacker to craft and store malicious Feedback content into "/ECT Provider/", such that when the content is viewed by Administrators, attacker-controlled JavaScript will execute in the security context of an administrator's browser.

Recommendations For versions prior to 10.0.1005.2, update to version 10.0.1005.2 or later. For versions prior to 11.7.0 LifeTime Management Console, update to version 11.7.0 LifeTime Management Console or later. For versions prior to 11.9.0 Platform Server, update to version 11.9.0 Platform Server or later. As a temporary workaround, consider restricting access to the "/ECT Provider/" endpoint to minimize the risk of exploitation.