Advisory ID

14520

Release date

2018-06-01

Last Updated

2018-05-31

Issue Severity

Low

 

Source

Source

Common Weakness Enumeration

Release date

2018-03-29

Problem Description

It is recommended to set the headers X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Content-Security-Policy and Strict-Transport-Security in the response from a web server to protect against XSS attacks. These headers are supported by modern browsers and are used to prevent the content being included in a web site on another server. 

 

Impact

None of these response headers are set by BoKS Web Services Interface (WSI) 7.1 (AKA MDS 7.1) and earlier versions.

 

WSI publishes a SOAP web service API and should not be vulnerable to any XSS attacks. This is because the content produced by the web service API is a SOAP-XML response and is never used directly in any web page on another web server. In other words, the response is processed by an application and never by a web browser.

 

Affected Products

 

Product name

Version

BoKS WSI / MDS

6.7- 7.1

 

 

External References

Find more about CWE-693 from MITRE CWE directory.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: April 16, 2019