Overview
Versions of TeleScope prior to 2020.1 were vulnerable to an XSS vulnerability whereby an actor while creating a collection, could supply crafted HTML as the collection name containing arbitrary javascript code on DOM events.
This would then get injected into the HTML for viewers of the collection executing the javascript as the DOM events would fire in the unsuspecting user's browser which could be used to leak client's confidential information, like SessionID.
Solution
XSS attacks are prevented by validating all user inputs so that no executable code can be injected through user inputs. This issue was fixed in TeleScope Executive 2020.1. If you're on an affected version, it is recommended you upgrade to the mentioned or later version. If your TeleScope installation has customizations or you're an OnDemand customer, please contact your Account Manager or support for help with this.
Testing
After upgrading, any code entered through will get sanitized and will be rendered inexecutable by TeleScope, thus preventing the execution of any javascript code.
Comments
0 comments
Please sign in to leave a comment.