First published: 14 May 2020
Last update: 25 November 2020
ID: FSC21814
Affected Components: Fabasoft Cloud Web Services, Fabasoft Folio Web Services
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, Basic Score: 6,5 (Medium)
Status: Final
CVEs: CVE-2018-16323
Due to the vulnerability CVE-2018-16323 in ImageMagick when converting images and downloading them memory fragments can be leaked via the image data
By repeated downloading converted images an attacker can read parts of the memory of a Fabasoft Web Service that may contain sensitive information.
Fixed with following versions of the Fabasoft Cloud or Fabasoft Folio:
First published: 14 May 2020
Last update: 25 November 2020
ID: FSC21815
Affected Components: Fabasoft Cloud Client, Fabasoft Folio Client
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L, Basic Score: 8.3 (High)
Status: Final
CVEs: -
The Fabasoft Cloud or Fabasoft Folio browser extension uses web messaging to communicate with the Fabasoft Cloud Client or Fabasoft Folio Client. The Fabasoft Cloud Client or Fabasoft Folio Client do not check whether the origin of the messages is a trustworthy site.
Malicious website can perform actions through Fabasoft Cloud or Fabasoft Folio browser extension and store files in the temp directory of the current user.
If you do not have the auto-update enabled, update the Fabasoft Cloud Client to its current version. No further action is required for the Fabasoft Cloud Client.
Update the Fabasoft Folio Client to the version mentioned below. Moreover, it is strongly recommended to restrict the communication with the Fabasoft Folio Client to particular hosts or domains. This can be done by setting an appropriate registry key.
For more information concerning this setting of the Fabasoft Folio Client refer to topic „Security Considerations of the Fabasoft Folio Client Web Browser Integration“ in the Whitepaper „Fabasoft Folio Client“ ( https://help.folio.fabasoft.com/index.php?topic=doc/Fabasoft-Folio-Clien... )
Fixed with following versions of the Fabasoft Cloud or Fabasoft Folio Client: