Reflected Cross-Site Scripting (CVE-2021-22522) and XML External Entity (CVE-2021-22523)

  • 7025169
  • 21-Jun-2021
  • 14-Jul-2021

Environment

Verastream Host Integrator version 7.8 Update 1 and earlier

Situation

A Reflected Cross-Site Scripting vulnerability (CVE-2021-22522) has been identified in Verastream Host Integrator (VHI). The vulnerability may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. This vulnerability affects VHI versions 7.8 Update 1 and earlier.

An XML External Entity vulnerability (CVE-2021-22523) has been identified in Verastream Host Integrator (VHI). The vulnerability allows  for injecting and executing JavaScript code in the application context, allowing an attacker to control the web browser, hijack user sessions, redirect the user to malicious websites, and steal application users' keystrokes.  Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited, such as convincing a user to click a link in an email. This vulnerability affects VHI versions 7.8 Update 1 and earlier.

Resolution

An update that fixes these vulnerabilities (VHI 7.8 Update 2) is available to maintained customers through the Micro Focus Software Licenses and Downloads (SLD) website. Micro Focus recommends that customers upgrade as soon as possible.

Status

Security Alert

Additional Information

Micro Focus would like to thank Pawel Gocyla for finding and responsibly disclosing this vulnerability.
 
CVE Reference and CVSS Version 3.1 Base Metrics: