Vulnerabilities 2020Permanent link for this heading

Folio Client Mailmerge interruption can lead to wrong content (FSC25088) Permanent link for this heading

First published: 23 November 2020

Last update: 12 February 2021

ID: FSC25088

Affected Components: Fabasoft Folio Client with Fabasoft eGov-Suite

Severity: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N, Basic Score: 4,2 (Medium)

Status: New

CVEs: -

Summary Permanent link for this heading

Running the mail-merge process from within Fabasoft eGov-Suite (that is processed by the locally installed Folio Client), and the user opens other Word documents during mail-merge processing, the wrong content could be applied as mail-merge result.

Impact Permanent link for this heading

In the case that the user opens a Word document beneath the mail-merge process, the Folio Client wrongly assumes that the opened document is the result of the mail-merge. The document with wrong content is assigned to the receipient of the mail-merge, and in consequence may be sent to a receipient of the mail-merge.

The wrongly used content may include personally identifiable or confidential information.

Remediation Permanent link for this heading

Fabasoft has fixed the issue. A hotfix is available for Fabasoft Folio versions listed in the hotfix section.

The fix requires to update the Fabasoft Folio Client on the client machines. No update of other services is required.

Workaround Permanent link for this heading

As long as the Fabasoft Folio Client was not updated to the build numbers mentioned below, recommend your users to not open any other Microsoft Word documents as long as the progress bar of the mail-merge is visible.

Hotfix Information Permanent link for this heading

Fabasoft has fixed this issue in the following Fabasoft Folio / Fabasoft eGov-Suite versions:

  • Fabasoft Folio 2021 (from Folio Client version 21.1.0.76)
  • Fabasoft Folio 2020 Update Rollup 4 (from Folio Client version 20.1.4.50)
  • Fabasoft Folio 2019 Update Rollup 3 (from Folio Client version 19.2.3.175)
  • Fabasoft Folio 2017 R1 (from Kit 17.4.0.73 / from Folio Client version 17.4.7.114)
  • Fabasoft Folio 2017 R1 UR7 (from Folio Client version 17.4.7.114)
  • Fabasoft Folio 2016 Update Rollup 7 (from Kit 16.0.11.77 / from Folio Client version 16.0.11.77)
  • and all major releases and Update Rollups above the mentioned versions.

Access to Confidential Data Possible via Image Conversion (FSC21814) Permanent link for this heading

First published: 14 May 2020

Last update: 25 November 2020

ID: FSC21814

Affected Components: Fabasoft Cloud Web Services, Fabasoft Folio Web Services

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, Basic Score: 6,5 (Medium)

Status: Final

CVEs: CVE-2018-16323

Summary Permanent link for this heading

Due to the vulnerability CVE-2018-16323 in ImageMagick when converting images and downloading them memory fragments can be leaked via the image data

Impact Permanent link for this heading

By repeated downloading converted images an attacker can read parts of the memory of a Fabasoft Web Service that may contain sensitive information.

Remediation Permanent link for this heading

Hotfix Information Permanent link for this heading

Fixed with following versions of the Fabasoft Cloud or Fabasoft Folio:

  • Fabasoft Cloud Version 2020 June Release (Version 20.3.1)
  • Fabasoft Folio Version 2021 (Version 21.1.0)

Malicious Website can Perform Actions Through Fabasoft Cloud or Fabasoft Folio Browser Extension (FSC21815) Permanent link for this heading

First published: 14 May 2020

Last update: 25 November 2020

ID: FSC21815

Affected Components: Fabasoft Cloud Client, Fabasoft Folio Client

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L, Basic Score: 8.3 (High)

Status: Final

CVEs: -

Summary Permanent link for this heading

The Fabasoft Cloud or Fabasoft Folio browser extension uses web messaging to communicate with the Fabasoft Cloud Client or Fabasoft Folio Client. The Fabasoft Cloud Client or Fabasoft Folio Client do not check whether the origin of the messages is a trustworthy site.

Impact Permanent link for this heading

Malicious website can perform actions through Fabasoft Cloud or Fabasoft Folio browser extension and store files in the temp directory of the current user.

Remediation Permanent link for this heading

Fabasoft Cloud Permanent link for this heading

If you do not have the auto-update enabled, update the Fabasoft Cloud Client to its current version. No further action is required for the Fabasoft Cloud Client.

Fabasoft Folio Permanent link for this heading

Update the Fabasoft Folio Client to the version mentioned below. Moreover, it is strongly recommended to restrict the communication with the Fabasoft Folio Client to particular hosts or domains. This can be done by setting an appropriate registry key.

For more information concerning this setting of the Fabasoft Folio Client refer to topic „Security Considerations of the Fabasoft Folio Client Web Browser Integration“ in the Whitepaper „Fabasoft Folio Client“ ( https://help.folio.fabasoft.com/index.php?topic=doc/Fabasoft-Folio-Clien... )

Hotfix Information Permanent link for this heading

Fixed with following versions of the Fabasoft Cloud or Fabasoft Folio Client:

  • Fabasoft Cloud Version 2020 June Release (Version 20.3.1)
  • Fabasoft Folio Client Version 2020 UR 2 (Version 20.1.2)
  • Hotfix for Fabasoft Folio Client Version 2019 UR3
  • Hotfix for Fabasoft Folio Client Version 2017 R1 UR6