Sicherheitslücken
Denial of service by Third Party Software
Found on 14.12.2023
Existing since unknown
Fixed with 2023w52a on 28.12.2023
CVSS Score 5.3
A denial of service attack could be executed through the third party library Dompdf by recursively referencing SVG images. No such configurations where used in Cofys. Even if, an attack only could only lead to a service degradation but not a leak of customer data. See CVE-2023-50262 for more details.
Open Redirect
CWE-601
Found on 10.10.2023
Fixed with 2023w42a on 16.10.2023
Severity Medium
Improper parsing of HTTP request parameters could lead to open redirects in multiple cases.
Deserialization of Untrusted Data
CWE-502
Found on 10.10.2023
Fixed with 2023w42a on 16.10.2023
Severity High
Improper parsing of HTTP request parameters could lead to deserialization of untrusted data in one case.
Path Traversal
CWE-23
Found on 10.10.2023
Fixed with 2023w42a on 16.10.2023
Severity High
Improper parsing of HTTP request parameters could lead to path traversal in multiple cases. The traversable directory included only static code files and no user data, sessions or config files.
Cross-site Scripting (XSS)
CWE-79
Found on 10.10.2023
Fixed with 2023w42a on 16.10.2023
Severity High
In multiple cases the user could pass Javascript through HTML parameters. The passed data was never stored on the servers.
Bypassing of URI validation in Third Party Software
Found on 07.02.2023
Existing since 31.01.2023
Fixed with 2023w11a on 13.03.2023
CVSS Score 9.8
The URI validation of the Third Party Library dompdf/dompdf can be bypassed on SVG parsing by passing <image> tags with uppercase letters. No such configurations where used in Cofys. See CVE-2023-24813 for more details.
Bypassing of URI validation in Third Party Software
Found on 01.02.2023
Existing since 31.01.2023
Fixed with 2023w06a on 07.02.2023
CVSS Score 9.8
The URI validation of the Third Party Library dompdf/dompdf can be bypassed on SVG parsing by passing <image> tags with uppercase letters. No such configurations where used in Cofys. See CVE-2023-23924 for more details.
Remote File Inclusion (RFI) in Third Party Software
Found on 26.09.2022
Existing since 25.09.2022
Fixed with 2022w40a on 07.10.2022
CVSS Score 7.5
The Third Party Library dompdf/dompdf allowed for Remote File Inclusion (RFI) under certain configurations. No such configurations where used in Cofys. See CVE-2022-41343 for more details.
Server-Side Request Forgery (SSRF) in Third Party Software
Found on 12.07.2022
Existing since 21.03.2022
Fixed with 2022w28a on 12.07.2022
CVSS Score 5.3
The Third Party Library dompdf/dompdf allowed for Server-Side Request Forgery (SSRF) under certain configurations. No such configurations where used in Cofys. See CVE-2022-0085 and huntr.dev for more details.
Improper Input Validation in Third Party Software
Found on 29.03.2022
Existing since 21.03.2022
Fixed with 2022w13b on 30.03.2022
CVSS Score 7.5
The Third Party Library guzzlehttp/psr7 contained improper header parsing. See CVE-2022-24775 for more details.
Reflected cross-site scripting
Found on 19.01.2022
Existing since 21.11.2020
Fixed with 2022w03e on 19.01.2022
CVSS Score 6.1
A reflected cross-site scripting (XSS) vulnerability allows the attacker to temporarily inject malicious scripts in the application page. In this case an attacker could craft a malicious form that when submitted could insert Javascript in a post parameter in the coupon, name and email fields in the booking process. The Javascript code wasn't stored. Other forms using post parameters are not affected.
Reflected cross-site scripting
Found on 19.01.2022
Existing since 21.02.2021
Fixed with 2022w03d on 19.01.2022
CVSS Score 5.4
A reflected cross-site scripting (XSS) vulnerability allows the attacker to temporarily inject malicious scripts in the application page. In this case an attacker could insert Javascript in a query parameter in the forum search and send this link to other users. The Javascript code wasn't stored. Other forms using query parameters are not affected.