Published: 2020/04/28  Last Updated: 2020/04/28

Information from NI Consulting CO.,Ltd.

Vulnerability ID:JVN#47668991
Title:Sales Force Assistant vulnerable to cross-site scripting
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

Products
Sales Force Assistant Version 11.2.48 and earlier

Overview
If a malicious malicious script is registered in the method of calling the assistant function,
Anyone on the web browser of the user logged in to the Sales Force Assistant series
Scripts may be executed.

Influence
This vulnerability may allow an unintended operation on a web browser.
Below are the impacts based on CVSS v3.
Severity Urgent
Not applicable
Severity important
Not applicable
Severity warning
CVSS v3 Base score: 5.4
CVSS: 3.0 / AV: N / AC: L / PR: L / UI: R / S: C / C: L / I: L / A: N / BS: 5.4
Severity
Not applicable

Measures
Please update to Sales Force Assistant Series Version 11.2.49.
The service is available from 9:00 on April 28, 2020.
Customers using the cloud service are automatically updated.
For on-premises customers, please update online.