Reflected XSS Vulnerabilities in SIS Informatik - Rewe Go


Reflected Cross-site Scripting Vulnerability


SIS Informatik - REWE GO

Vulnerable Version


Fixed Version

7.7 SP17

CVE Number







Steffen Robertz, Florian Lienhart (Office Vienna)

The bookkeeping software REWE by SIS Informatik is affected by multiple reflected cross-site scripting vulnerabilities on the login screen. Hence, an attacker is able to execute arbitrary JavaScript code in the browser of the victim.


Vendor description

"SIS Informatik is your specialist for the conception and implementation of tailor-made accounting, business intelligence and corporate performance management solutions. In addition to technical competence, business know-how and the willingness to develop optimal, adaptable software solutions together with our customers are the central components that make us a strong partner. We develop solutions based on high-quality technologies from well-known partners such as IBM, Oracle and Qlik" (translated from German)



Business recommendation

The vendor provides a patch which should be installed immediately. SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues.


Vulnerability overview/description

1) Multiple Reflected Cross-Site Scripting (XSS) (CVE-2021-31537)

The login website returns unfiltered or unescaped user input. This leads to a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML or JavaScript code into the victim's web browser. Once the victim clicks on a malicious link, the attacker's code is executed in the context of the victim's web browser.


Proof of concept

1) Multiple Reflected Cross-Scripting (XSS) (CVE-2021-31537)

When opening the following URL the supplied JavaScript code will be executed.


The affected parameters are: "config", "version", "win","db", "pwd", and "user".

No valid parameters need to be supplied to trigger the XSS vulnerability as seen in following URL:


The following URL is affected as well:


All parameters are affected.


Vulnerable / tested versions

The following product/firmware version has been tested:

  • SIS-REWE GO 7.5.0/12C


Vendor contact timeline

2021-02-24 Contacting vendor through; no reply.
2021-03-11 Contacting vendor again through
2021-03-15 Vendor requests more information. SEC Consult offered to provide advisory via encrypted or unencrypted mail.
2021-03-17 Sending advisory via PGP encrypted mail.
2021-03-21 Vendor confirmed the vulnerability and is working on a patch.
2021-04-12 Requested status update.
2021-04-16 Hot fix 7.7 SP16 available in week 16, next release 7.7 SP17 in week 18.
2021-05-11 Coordinated release of security advisory.


Contact the vendor in order to install the security patch for release 7.7 SP16 or upgrade to release 7.7 SP17. More information has been provided to customers of the vendor in a newsletter.




EOF Steffen Robertz, Florian Lienhart / @2021