CVE-2023-5118

Name of the Vulnerable Software and Affected Versions Software versions prior to 11.1.x

Description The application is vulnerable to Stored Cross-Site Scripting (XSS) in the endpoint "/sofer/DocumentService.asc/SaveAnnotation", where input data transmitted via the POST method in the parameters author and text are not adequately sanitized and validated. This allows for the injection of malicious JavaScript code. The vulnerability was identified in the function for adding new annotations while editing document content.

Recommendations For versions prior to 11.1.x, update to a version above 11.1.x to resolve the issue. As a temporary workaround, consider restricting access to the "/sofer/DocumentService.asc/SaveAnnotation" endpoint or disabling the function for adding new annotations until a patch is available. Avoid using the parameters author and text in the affected API endpoint until the issue is resolved.