Stored XSS Via Help Server Setting Vulnerability 

(CVE-2021-35240)

Summary

A security researcher found a stored XSS via a Help Server setting. This affects customers using Internet Explorer because they do not support 'rel=noopener'

Affected Products

  • Orion Platform 2020.2.5 and earlier

Fixed Software Release

Acknowledgments

  • Kajetan Rostojek

Advisory Details

Severity

6.5 High

Advisory ID

First Published

07/20/2021

Last Updated

08/24/2021

Fixed Version

Orion Platform 2020.2.6 HF1

Workarounds

CVSS Score

CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L