Security Advisory - IXSA-20241204-01

Advisory ID	IXSA-20241204-01
Version	1.1
Last updated	17.12.2024
Published	04.12.2024
Status	Resolved
CVEs	CVE-2024-55554
Summary	User-defined porlets on portal pages are susceptible to the execution of Java Script code in HTML („Cross-Site-Scripting“).
Type/Severity	High
Description	On Intrexx portal pages, portlets of the type “User-defined” can be created with user-defined HTML input. Java script code inserted in this portlet can be executed unnoticed in the portal when the portlet is output in the same or another user context and can lead to a cross-site scripting vulnerability. With Intrexx version 12.0.2, this vulnerability will be closed. With this release, three configuration options are available in the portal properties to influence the behavior of the output of the user-defined portlet and thus secure it.
Solution	Please install Intrexx version 12.0.2 and check the new configuration options in the portal properties under “Security” immediately after completing the update.
Affected Products	Intrexx Portal Server <= 12.0.1
Fixes	Intrexx Version 12.0.2 (12.0.2.20241204.1), Released on 04.12.2024
References	Changelog: https://help.intrexx.com/intrexx/steady/de-de/Content/OH/news-changelogs-steady.html
Credits	Found by: Marcel Heisel (HiSolutions AG)