Published: 2020/04/28  Last Updated: 2020/04/28

Information from NI Consulting CO.,Ltd.

Vulnerability ID:JVN#47668991
Title:Sales Force Assistant vulnerable to cross-site scripting

This is a statement from the vendor itself with no modification by JPCERT/CC.

Sales Force Assistant Version 11.2.48 and earlier

If a malicious malicious script is registered in the method of calling the assistant function,
Anyone on the web browser of the user logged in to the Sales Force Assistant series
Scripts may be executed.

This vulnerability may allow an unintended operation on a web browser.
Below are the impacts based on CVSS v3.
Severity Urgent
Not applicable
Severity important
Not applicable
Severity warning
CVSS v3 Base score: 5.4
CVSS: 3.0 / AV: N / AC: L / PR: L / UI: R / S: C / C: L / I: L / A: N / BS: 5.4
Not applicable

Please update to Sales Force Assistant Series Version 11.2.49.
The service is available from 9:00 on April 28, 2020.
Customers using the cloud service are automatically updated.
For on-premises customers, please update online.