Original Issue Date: October 29, 2021
Severity Rating: HIGH
Software Affected
Nitro Pro v13.47 and earlier
Overview
Multiple vulnerabilities have been reported in Nitro Product which could allow an attacker to bypass security restrictions and execute arbitrary code on the targeted system.
Description
1. Apache log4net security bypass ( CVE-2018-1285 )
This vulnerability exists in Nitro pro due to improper handling of XML external entity (XXE) declarations when parsing log4net configuration files. The successful exploitation of this vulnerability could allow an attacker to execute XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
2. JavaScript document. flatten Pages ( CVE-2021-21798 )
This vulnerability exists in Nitro pro due to return of stack variable address flaw in the JavaScript implementation. The successful exploitation of this vulnerability could allow an attacker to execute arbitrary code under the context of the application.
Solution
Apply appropriate fixes as mentioned below: