A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback content into /ECT_Provider/, such that when the content is viewed (it can only be viewed by Administrators), attacker-controlled JavaScript will execute in the security context of an administrator’s browser. This is fixed in Outsystems 10.0.1005.2, Outsystems 11.9.0 Platform Server, and Outsystems 11.7.0 LifeTime Management Console.
CPE | Name | Operator | Version |
---|---|---|---|
lifetime_management_console | ge | 11 | |
lifetime_management_console | lt | 11.7.0 | |
outsystems | ge | 10 | |
outsystems | lt | 10.0.1005.2 | |
platform_server | ge | 11 | |
platform_server | lt | 11.9.0 |