| CVE ID | CVE-2024-7874 |
| Publication date | 06 December 2024 |
| Vendor | Tungsten Automation |
| Product | TotalAgility |
| Vulnerable versions | All through 7.9.0.25.0.954 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2024-7875 |
| Publication date | 06 December 2024 |
| Vendor | Tungsten Automation |
| Product | TotalAgility |
| Vulnerable versions | All through 7.9.0.25.0.954 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in Tungsten Automation (formerly Kofax) TotalAgility software and participated in coordination of their disclosure.
TotalAgility software in versions all through 7.9.0.25.0.954 is vulnerable to Reflected XSS attacks (CVE-2024-7874 and CVE-2024-7875) through two different parameter manipulations: mfpConnectionId in a form sent to endpoints /TotalAgility/Kofax/BrowserDevice/ScanFront.aspx
and /TotalAgility/Kofax/BrowserDevice/ScanFrontDebug.aspx as well as mfpScreenResolutionWidth in a form sent to an endpoint /TotalAgility/Kofax/BrowserDevice/ScanFront.aspx.
These vulnerabilities allow an unauthenticated user for injection of a malicious JavaScript code, leading to a possible information leak. Exploitation is possible only while using POST requests and also requires retrieving/generating a proper VIEWSTATE parameter, which limits the risk of a successful attack.
We were unable to contact the software manufacturer to confirm the range of the affected versions, so newer ones might be vulnerable as well.
Credits
We thank Amin ACHOUR and Abderrahmane Bounhidja for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.