CVE-2018-17288 in Front Office Server
Summary
by MITRE
Kofax Front Office Server version 4.1.1.11.0.5212 (both Thin Client and Administration Console) suffers from multiple authenticated stored XSS vulnerabilities via the (1) "Filename" field in /Kofax/KFS/ThinClient/document/upload/ - (Thin Client) or (2) "DeviceName" field in /Kofax/KFS/Admin/DeviceService/device/ - (Administration Console).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/04/2023
Kofax Front Office Server version 4.1.1.11.0.5212 contains critical authenticated stored cross-site scripting vulnerabilities that affect both the Thin Client and Administration Console components of the system. These vulnerabilities arise from insufficient input validation and output encoding in two distinct upload endpoints, creating persistent security risks for authenticated users within the application's ecosystem. The flaws exist in the server-side processing of user-supplied data, specifically in how the system handles file naming and device identification parameters.
The primary vulnerability manifests in the /Kofax/KFS/ThinClient/document/upload/ endpoint where the "Filename" field fails to properly sanitize user input before storing and subsequently rendering the data. This allows authenticated attackers to inject malicious javascript code into the filename parameter, which gets executed whenever the stored filename is displayed or processed by the application. Similarly, the Administration Console component contains a comparable flaw in the /Kofax/KFS/Admin/DeviceService/device/ endpoint where the "DeviceName" field lacks proper input validation, enabling attackers to store malicious payloads that persist within the system's device management functionality.
These stored XSS vulnerabilities represent a significant security risk as they allow attackers with valid credentials to establish persistent malicious code execution within the application environment. The authenticated nature of these flaws means that attackers must first obtain legitimate user credentials, but once achieved, they can execute arbitrary javascript code within the context of the victim's browser session. This creates potential for session hijacking, data exfiltration, and privilege escalation within the Kofax Front Office Server environment. The vulnerabilities align with CWE-79 which specifically addresses cross-site scripting flaws, and they map to attack techniques within the ATT&CK framework under T1566 for credential access and T1059 for command and scripting interpreter.
The operational impact of these vulnerabilities extends beyond simple script execution as they can be leveraged to bypass security controls and access sensitive administrative functions. Attackers could potentially modify device configurations or manipulate document processing workflows, leading to data integrity compromises and unauthorized access to business-critical information. The persistent nature of stored XSS means that malicious payloads remain active until explicitly removed from the system, providing attackers with extended access windows and making detection more challenging. Organizations utilizing Kofax Front Office Server version 4.1.1.11.0.5212 should immediately implement mitigations including input sanitization, output encoding, and proper parameter validation to prevent exploitation of these vulnerabilities.