First published: 23 November 2020
Last update: 12 February 2021
ID: FSC25088
Affected Components: Fabasoft Folio Client with Fabasoft eGov-Suite
Severity: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N, Basic Score: 4,2 (Medium)
Status: New
CVEs: -
Running the mail-merge process from within Fabasoft eGov-Suite (that is processed by the locally installed Folio Client), and the user opens other Word documents during mail-merge processing, the wrong content could be applied as mail-merge result.
In the case that the user opens a Word document beneath the mail-merge process, the Folio Client wrongly assumes that the opened document is the result of the mail-merge. The document with wrong content is assigned to the receipient of the mail-merge, and in consequence may be sent to a receipient of the mail-merge.
The wrongly used content may include personally identifiable or confidential information.
Fabasoft has fixed the issue. A hotfix is available for Fabasoft Folio versions listed in the hotfix section.
The fix requires to update the Fabasoft Folio Client on the client machines. No update of other services is required.
As long as the Fabasoft Folio Client was not updated to the build numbers mentioned below, recommend your users to not open any other Microsoft Word documents as long as the progress bar of the mail-merge is visible.
Fabasoft has fixed this issue in the following Fabasoft Folio / Fabasoft eGov-Suite versions:
First published: 14 May 2020
Last update: 25 November 2020
ID: FSC21814
Affected Components: Fabasoft Cloud Web Services, Fabasoft Folio Web Services
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, Basic Score: 6,5 (Medium)
Status: Final
CVEs: CVE-2018-16323
Due to the vulnerability CVE-2018-16323 in ImageMagick when converting images and downloading them memory fragments can be leaked via the image data
By repeated downloading converted images an attacker can read parts of the memory of a Fabasoft Web Service that may contain sensitive information.
Fixed with following versions of the Fabasoft Cloud or Fabasoft Folio:
First published: 14 May 2020
Last update: 25 November 2020
ID: FSC21815
Affected Components: Fabasoft Cloud Client, Fabasoft Folio Client
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L, Basic Score: 8.3 (High)
Status: Final
CVEs: -
The Fabasoft Cloud or Fabasoft Folio browser extension uses web messaging to communicate with the Fabasoft Cloud Client or Fabasoft Folio Client. The Fabasoft Cloud Client or Fabasoft Folio Client do not check whether the origin of the messages is a trustworthy site.
Malicious website can perform actions through Fabasoft Cloud or Fabasoft Folio browser extension and store files in the temp directory of the current user.
If you do not have the auto-update enabled, update the Fabasoft Cloud Client to its current version. No further action is required for the Fabasoft Cloud Client.
Update the Fabasoft Folio Client to the version mentioned below. Moreover, it is strongly recommended to restrict the communication with the Fabasoft Folio Client to particular hosts or domains. This can be done by setting an appropriate registry key.
For more information concerning this setting of the Fabasoft Folio Client refer to topic „Security Considerations of the Fabasoft Folio Client Web Browser Integration“ in the Whitepaper „Fabasoft Folio Client“ ( https://help.folio.fabasoft.com/index.php?topic=doc/Fabasoft-Folio-Clien... )
Fixed with following versions of the Fabasoft Cloud or Fabasoft Folio Client: