05-20-2020, 05:16 PM
We have a third party company that is reviewing our websites.
They have reported some security issues that they are requiring us to address.
---------------------
Here is their description of the problem: Cross Site Scripting
The "callback", "ajaxevent" and "ArowId" parameters found on https://site.somewhere.com/iw/Isiw.dll//$/callback can be modified to include executable JavaScript.
Note: The request requires a valid 'IW_SessionID' value that can be obtained by going to the application (no authentication required)
----------------------------
It sounds to me that they think a user can grab a session_id from the site and then use it to do an ajax callback with some malicious code.
Do you have How do I mitigate this risk?
We are currently using iw 14. Are there some changes in iw15 that would help?
They have reported some security issues that they are requiring us to address.
---------------------
Here is their description of the problem: Cross Site Scripting
The "callback", "ajaxevent" and "ArowId" parameters found on https://site.somewhere.com/iw/Isiw.dll//$/callback can be modified to include executable JavaScript.
Note: The request requires a valid 'IW_SessionID' value that can be obtained by going to the application (no authentication required)
----------------------------
It sounds to me that they think a user can grab a session_id from the site and then use it to do an ajax callback with some malicious code.
Do you have How do I mitigate this risk?
We are currently using iw 14. Are there some changes in iw15 that would help?