CVE-2023-36085

Name of the Vulnerable Software and Affected Versions sisqualWFM versions 7.1.319.103 through 7.1.319.111

Description The issue concerns a host header injection vulnerability in the "/sisqualIdentityServer/core/" endpoint. By modifying the HTTP Host header, an attacker can change webpage links and redirect users to arbitrary or malicious locations, potentially leading to phishing attacks, malware distribution, and unauthorized access to sensitive resources.

Recommendations For sisqualWFM versions 7.1.319.103 through 7.1.319.111, consider disabling access to the "/sisqualIdentityServer/core/" endpoint until a patch is available. Restricting the modification of the HTTP Host header can also help minimize the risk of exploitation. As a temporary workaround, avoid using the vulnerable endpoint for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.