Stored Cross Site Scripting in PrizmDoc 13.3 and before (CVE-2018–15546)


While working on a security audit, our researcher has found a security weakness affecting PrizmDoc HTML5 Document Viewer 13.3 and all previous versions. This has been assigned with CVE-2018–15546.


PrizmDoc is a suite of web services that are accessed using REST APIs which provide document & image processing functionality for your application

In order to reproduce the issue, you need to have a pdf file with XSS payload, you can download one from below:


Now, all you need to upload the file into application and view the file using PrizmDoc viewer. Click on javascript link and XSS will execute.


Recommendation:

Vendor Released the Fix for the vulnerability in v13.4


References:

http://help.accusoft.com/PrizmDoc/v13.4/ReleaseNotes/index.htm


Timeline:

  • Jul 26, 2018 — Vulnerability Discovered

  • Jul 26, 2018 — Vulnerability Reported

  • Jul 27,2018 — Vulnerability Acknowledged by vendor

  • Jul 28,2018 — Vendor Response on Fix scheduled in September

  • September 10,2018 — Vulnerability Fixed

© 2020 by SECMASTERS