Advisory ID: TO-2021-001 Product: WebACMS Vendor: AFI Solutions GmbH Tested Version: 2.1.0 Fixed Version: - Vulnerability Type: Cross-Site Scripting (CWE-79) CVSSv2 Severity: AV:N/AC:L/Au:N/C:P/I:P/A:N (Score 6.4) CVSSv3 Severity: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Score 6.1) Solution Status: Unfixed Manufacturer Notification: 2021-12-13 Solution Date: 2022-01-17 Public Disclosure: 2022-01-20 CVE Reference: CVE-2021-44829 Authors of Advisory: Patrick Hener & Siva Rajendran, Thinking Objects GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The product "ACMS" of AFI Solutions GmbH [1] is a so called edi converter. For companies to be able to exchange arbitrary data it is common to use a edi converter to convert between data formats of the sender and the recipient. The product of AFI Solutions also incorporates a web interface, which is the subject of this advisory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The index page has a parameter "ID" which is used to navigate within the web application. It is not properly sanitized and will be rendered into the login form of the index page, as well. The vulnerable code will be shown from the following listing: