Versions Compared

Version Old Version 4 New Version Current
Changes made by

Ylva Andersson

Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor
Info

Latest update date of this article:
2025-0102-2310

General information

An Two XSS vulnerability has vulnerabilities have been discovered in Nexus Digital Access.

Versions affected

All Digital Access versions currently not EOL are affected by these vulnerabilities.

Resolution

A URL query parameter on the password reset page in self-service is vulnerable to XSS injection. This means that if the session cookies are not configured in a secure manner an evil attacker could craft a link that can give access to sensitive information and possibly overtaking the session. In order to exploit this an authenticated user must be tricked to visit a vulnerable link.

Versions affected

All Digital Access versions currently not EOL are affected by this vulnerabilitypatch version has been released to fix the XSS vulnerabilities in Digital Access 6.8.x. This version is called Digital Access 6.8.1 and it is available for download through the Support Portal (or by upgrading the versiontag.yml in the Docker Swarm setup). The version includes fixes for two XSS vulnerabilities, and it is highly recommended to upgrade to this release. See Release Notes Digital Access 6.8.1 for more information.

Patch versions are also available for the remaining minor versions still in support:

  • Digital Access component version 6.7.4

  • Digital Access component version 6.6.2

  • Digital Access component version 6.5.3

The versions are available for download from the Support Portal (or the suggested method to upgrade versiontag.yml).

These releases also contain fixes for less critical vulnerabilities that have been discovered after the release of the previous maintenance version in that minor release. See the respective release notes (linked above in the bullet list) for the contents of each version.

If upgrade to a patched version can not be completed currently, see the steps below to manually avoid the vulnerabilities.

Step-by-step instruction to resolve and remove the

...

vulnerabilities

  1. Make sure that cookies are handled securely. In the Administration service: Go to Manage System > Access Points > Manage Global Access Point Settings > Advanced settings
    The following checkboxes must be checked:

...

  1. Click Browse in the upper right corner of the window.

  2. Locate the passwordSet.js file under access-point/built-in-files/wwwroot/wa/scripts

  3. Click the edit symbol (sheet with a pencil) and edit the file as explained below:

    1. In the method loadPage locate this row:
      $(".form-message").html( decodeUrlParameter(decodeURI( message ) )) ;

      Change it (by replacing html with text) to:
      $(".form-message").text( decodeUrlParameter(decodeURI( message ) )) ;

    2. In the method displaySuccessMessage locate this row:
      $(".form-message").html( decodeUrlParameter( message ) );

      Change it (by replacing html with text) to:

      $(".form-message").text( decodeUrlParameter( message ) );

  4. Click Save and close the browser window.

  5. Click Publish (it may not be blue at this point but it will still work)

...

Validate the fix by visiting the following link:

https://<your dns name>/wa/passwordSet.html?userID=testuser</script>&phoneNumber=&message=<script>alert(%27if%20this%20is%20shown%20in%20a%20popup%20the%20system%20is%20not%20safe.%20If%20it%20is%20shown%20in%20the%20web%20page%20the%20system%20is%20safe%27);</script>

The dns name must be modified to the server dns name.

A popup should not be shown and if this is the case the system is no longer vulnerable for this issue.

...

  1. .