Symptoms
During Security Scanning they have identified the Cross-Site Scripting issue with the Serial Number.
SN contains the Special Character and is it possible to Encrypt the SN and we can pass the Encrypted in the Query String.
SN ? Special Character Validation
We are sending the plain text ,
Fix:
1. This is to be changed to Encrypted value
2. Incase of any Error, Redirect to Custom Error Page.
Diagnoses
My Last response was:
"
By the looks of it, the attached security report contains all the issues and responses as recorded before 4.6.11 Update 40 was installed.
After update 40, the SN or Serial Number value will be HTML Encoded in the responses that are shown in the attached document.
However, there is a known issue that when the worklist item is opened or action-ed in subsequent call using the SerialNumber value containing scripting values, the script will execute.
This issue has recently been resolved in our main branches and should ship in the next on-premise release.
"
It was in response to his question:
"
We have successfully done the K2 Upgradation. Thanks for your support.
But still the issue exists the SN was not encrypted. As discussed, Kindly check and update us.
"
smartforms 4611.40 fix was supplied and applied to customer
Resolution
My Last response was:
"
By the looks of it, the attached security report contains all the issues and responses as recorded before 4.6.11 Update 40 was installed.
After update 40, the SN or Serial Number value will be HTML Encoded in the responses that are shown in the attached document.
However, there is a known issue that when the worklist item is opened or action-ed in subsequent call using the SerialNumber value containing scripting values, the script will execute.
This issue has recently been resolved in our main branches and should ship in the next on-premise release.
"
It was in response to his question:
"
We have successfully done the K2 Upgradation. Thanks for your support.
But still the issue exists the SN was not encrypted. As discussed, Kindly check and update us.
"
smartforms 4611.40 fix was supplied and applied to customer