"SIS Informatik is your specialist for the conception and implementation of tailor-made accounting, business intelligence and corporate performance management solutions. In addition to technical competence, business know-how and the willingness to develop optimal, adaptable software solutions together with our customers are the central components that make us a strong partner. We develop solutions based on high-quality technologies from well-known partners such as IBM, Oracle and Qlik" (translated from German)
The vendor provides a patch which should be installed immediately. SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues.
1) Multiple Reflected Cross-Site Scripting (XSS) (CVE-2021-31537)
Proof of concept
1) Multiple Reflected Cross-Scripting (XSS) (CVE-2021-31537)
The affected parameters are: "config", "version", "win","db", "pwd", and "user".
No valid parameters need to be supplied to trigger the XSS vulnerability as seen in following URL:
The following URL is affected as well:
All parameters are affected.
Vulnerable / tested versions
The following product/firmware version has been tested:
- SIS-REWE GO 7.5.0/12C