.png?sv=2022-11-02&spr=https&st=2025-05-19T18%3A21%3A07Z&se=2025-05-19T18%3A31%3A07Z&sr=c&sp=r&sig=1Kuvm08zKsvh2JioGMRdOzp9XLNiDOzJT4UkRpRbJeM%3D){kind=logo}
Security Vulnerability
- DarkLight
Security Vulnerability
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
The following security vulnerabilities are fixed:
Vulnerability | Cause | Provided Fix | Version |
|---|---|---|---|
Secure authentication on APIs | APIs are accessible without enforced authentication for new tenants. | All APIs for new tenants now require authentication by default to ensure secure connections. LCM Webservice is updated with | 2504 |
Hardcoded Credentials | Credentials were embedded in the source code, creating a security risk. | Replaced hardcoded credentials with a secure storage and retrieval method. | 2501 |
Path Traversal | File deletion logic lacked proper validation, enabling potential unauthorized access. | Implemented validation to prevent path traversal in file deletion operations. | 2501 |
Improper Certificate Validation | Certificate validation was set to CERT_NONE, allowing insecure connections. | Updated certificate validation to CERT_REQUIRED to ensure secure and proper validation. | 2501 |
SSO Authorization Failure with SecureAuth (Query String Issue) | SecureAuth did not process query string parameters correctly, leading to failed authentication and potential data exposure. | Parameters are now passed in the Body instead of query strings, ensuring secure authentication processing | 2501 |
Privilege Escalation | Unauthorized users could access admin console pages without proper rights. | Restricted access based on user rights, preventing unauthorized access to admin console pages. | 2410 |
Banner Grabbing | Server information was exposed, allowing attackers to gather data for targeted attacks. | Disabled server header information by making configuration changes in the registry (regedit) and restarting the server. Removed the x-powered-by header at the application level, and customers are advised to remove it from IIS as well. | 2410 |
Improper Input Validation | Unfiltered HTML script tags could lead to cross-site scripting (XSS) | Restricted the use of HTML script tags in the application by preventing the values with special char < and >. | 2410 |
Private IP Address Disclosure | Private IP addresses were exposed in the application. | Removed IP addresses and instructed customers to use fully qualified domain names (FQDN) in web.config files. | 2410 |
Twilio Flex voice Stream g711 conversion | Issue arises with Twilio Flex voice Stream g711 conversion. | Voice streams decode logic is introduced into different method and existing method is removed from the component. | 2405 |
Encryption keys present in JavaScript file | Encryption keys are present in JavaScript file because the encryption keys are discovered from the JavaScript file, users can use third-party tools to decrypt the encrypted content. | A fix is provided. The AES keys are removed from the referenced file. Additionally, a custom action script is included to delete the Source file from the relative tenant path. | 2404 |
Sensitive information exposed in API response | When retrieving the list of users, we fetch their contact details to display in the grid. However, there is a reported issue where sensitive information such as phone numbers and email addresses are being passed as plain text in the API response. | A fix is provided. Encoded data is now passed through the API, and upon receiving it in the UI, the encoded information is decoded before being bound to the grid for display. | 2404 |
Security headers are not enforced | The strict-transport-security is reported as not being enforced in the LCMWebService application. | The issue is resolved. It was previously mentioned in the security guide as a manual configuration requirement. The security headers are updated in the LCMWeb Service configurations. | 2404 |
Cookies set path Attribute | The path attribute for cookies is reported as not being set. This attribute is used to prevent unauthorized parties from observing cookies during transmission. | The issue is resolved. A configuration is introduced to set the ASP.NET_SessionId cookie with a relative path when the session starts. The default setting of "/" means that no relative path is set for the cookie. | 2404 |
URL file supporting an invalid file type | There is an issue with validating the file type that users upload for the URL icon. Additionally, when a user clears the icon and saves, the value is not updating for the configuration. | Validation has been implemented to support the following image types: png, bmp, svg, jpeg, and gif. The icon update now occurs based on the user's selection. Roles and rights for individual URLs (Child URLs) have been added, allowing users to assign individual rights to specific URL settings. | 2402 |
Vulnerability fixes | A security vulnerability issue has been identified in the application. | The fix has been implemented by incorporating the following changes:
| 2401 |
Data Extract Audit Log - Passwords Displayed | There are some passwords displayed in audit trail that are vulnerable to security risks. | Encrypting the password content for various operations. | 2311 |
Content Security Policy Vulnerability | X-Frame-Options technique only checks against the top-level document’s location, the CSP frame-ancestors header checks for conformity from all ancestors. | Updated the Security Whitepaper with the following information: As a best practice, use the frame-ancestors as part of the HTTP Content-Security-Policy, if defined. Avoid using the X-Frame-Options header. | 2304 |
Potential vulnerability due to a lacking CSRF check | The Cross Site Request Forgery (CSRF) check is missing in the Change Password API whenever user changes password. | Updated the API to include the CSRF check for the change password API. | 2301 |
Vulnerable JavaScript dependencies | There are some older Jquery files that are vulnerable to security risks. | Updated the Jquery binaries to the latest version to eliminate the risk. | P154 |
Lack of Session Cookie Security Attributes | The flag is set as Httponly. This instructs the browser not to allow client-side scripts to access or manipulate the cookie. | By setting Httponly flag, cookies like ASP.NET_SessionId prevent from being read by client-side JavaScript. Adding the SSL requirement in the configuration prevents them from being sent over unencrypted channels such as HTTP. | P154 |
Was this article helpful?