Security Vulnerability Advisory
-------------------------------
CVE: CVE-2019-12547
Publication Date: 04/17/2020
Revision: 1.0
Link: https://digital.security/advisories/cert-ds_advisory-opentrust_mft_xss-cve-2019-12547.txt


Title
-----
Reflected XSS in OpenTrust MFT


Overview
--------
OpenTrust MFT is a file sharing platform produced by Equisign. An XSS in
uploaded files' names that can lead to account takeover has been found.


Affected Products
-----------------
 - OpenTrust MFT < 3.3.6.2


Details
-------
There is a reflected XSS in filenames that is triggered when the sender opens
the message after sending it. Since the session cookie isn't protected with
HttpOnly this can lead to full account takeover. However it is quite hard to
execute since the sender must first be tricked into sending a file that has a
XSS in its name.

CVSSv3 Overall Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N


Solution
--------
This has been fixed in 3.3.6.2, we recommend updating MFT.


Credits
-------
This vulnerability was discovered by Cédric Picard from digital.security Luxembourg.


Revision History
----------------
Revision 1: 2019.05.23 / Initial release


Timeline
--------
2017.10.16 Vulnerability discovered
2017.10.17 Equisign is informed
2018.07.02 A new version fixing the issue is produced


References
----------
https://www.opentrustmft.fr/