According to the K2 Security Assessment and Penetration Testing 2020 results, one item with medium severity of the pen test of October 2019 remained open after the retest in January 2020. It was supposed to be mitigated during software updates in the course of 2020.
Does anyone know if they have eliminated this server-side request forgery issue within a specific SmartForms control allowing an attacker to discover internal endpoints?
Solved! Go to Solution.
Some steps have already been taken to reduce the risk, but the issue has not yet been fully mitigated – The remediation plan is still in progress and no ETA is currently available.
The risk of the issue is mainly on our own infrastructure(K2) and poses little risk to client data – There are many environment hardening and other factors that mitigates most of this item’s risk which helps greatly towards preventing compromise.
If you do want to reduce the risk even further, it helps NOT to use the Save as PDF control or the PDF Converter SmartObject at all, or can even delete the component from the system all together.
That being said, if you do require PDF capabilities, then generating the PDF from within the workflow instead of using the save as PDF control would help.