Presentation

XSS type injections are possible from eonweb, the injection parameters are the “Job Name” and “Job Description” fields. A user with permissions to access the export or autodiscovery can execute javascript code for example on the eonweb interface. This flaw therefore requires authentication and is more conducive to a fishing attack. It therefore does not present a significant danger.

Exploit

We have no knowledge of an exploit today.

Impacted Version(s)

EON 4.2+ EON 5.0+

Fixed Version(s)

EON 5.3-11

Fix

Download latest EON fixed version.