Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 6 Next »

Latest update date of this article:
2025-01-29

General information

Two XSS vulnerabilities have been discovered in Nexus Digital Access.

Versions affected

All Digital Access versions currently not EOL are affected by these vulnerabilities.

Resolution

A patch version has been released to fix the XSS vulnerabilities in Digital Access 6.8.x. This version is called Digital Access 6.8.1 and it is available for download through the Support Portal (or by upgrading the versiontag.yml in the Docker Swarm setup). The version includes fixes for two XSS vulnerabilities, and it is highly recommended to upgrade to this release. See https://doc.nexusgroup.com/pub/release-notes-digital-access-component-6-8-1for more information.

Patch versions will be made available as they are completed in the remaining minor versions still in support. This article will be updated when these versions are available for download.

If upgrade to a patched version can not be completed currently, see the steps below to manually avoid the vulnerabilities.

Step-by-step instruction to resolve and remove the vulnerabilities

  1. Make sure that cookies are handled securely. In the Administration service: Go to Manage System > Access Points > Manage Global Access Point Settings > Advanced settings
    The following checkboxes must be checked:

Session control DA.png

  1. Click Browse in the upper right corner of the window.

  2. Locate the passwordSet.js file under access-point/built-in-files/wwwroot/wa/scripts

  3. Click the edit symbol (sheet with a pencil) and edit the file as explained below:

    1. In the method loadPage locate this row:
      $(".form-message").html( decodeUrlParameter(decodeURI( message ) )) ;

      Change it (by replacing html with text) to:
      $(".form-message").text( decodeUrlParameter(decodeURI( message ) )) ;

    2. In the method displaySuccessMessage locate this row:
      $(".form-message").html( decodeUrlParameter( message ) );

      Change it (by replacing html with text) to:

      $(".form-message").text( decodeUrlParameter( message ) );

  4. Click Save and close the browser window.

  5. Click Publish (it may not be blue at this point but it will still work).

  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions