CVE-2024-7875

Name of the Vulnerable Software and Affected Versions Tungsten Automation (Kofax) TotalAgility versions all through 7.9.0.25.0.954

Description The issue allows for Reflected XSS attacks through manipulation of the mfpScreenResolutionWidth parameter in a form sent to the "/TotalAgility/Kofax/BrowserDevice/ScanFront.aspx" endpoint. This enables the injection of malicious JavaScript code, potentially leading to information leaks. Exploitation is limited to POST requests and requires a proper VIEWSTATE parameter, which reduces the risk of a successful attack.

Recommendations For versions all through 7.9.0.25.0.954, as a temporary workaround, consider restricting access to the /TotalAgility/Kofax/BrowserDevice/ScanFront.aspx endpoint until a patch is available. Additionally, avoid using the mfpScreenResolutionWidth parameter in the affected form until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.