KSR Szafir SDK Web XSS and Integrity Check Bypass Vulnerabilities (CVE-2020-28927/28928)

Vulnerability Summary Vulnerability Overview This page discloses two security vulnerabilities in the Szafir software and its SDK, developed by the Polish National Clearing House (Krajowa Sieć Rozliczeniowa, KSR): 1. CVE-2020-28927: Affects Szafir SDK Web. This vulnerability allows attackers to bypass security mechanisms by injecting HTML code (use of less trusted source), potentially leading to cross-site scripting (XSS) or other injection attacks. 2. CVE-2020-28928: Affects Szafir software. This vulnerability involves improper validation of integrity check values, enabling attackers to bypass integrity checks by modifying file hash values. Affected Scope Vendor: Krajowa Sieć Rozliczeniowa (KSR) Affected Software and Versions: Szafir SDK Web: All versions below 0.17.4 Szafir: All versions below 1.1.0 Fix/Mitigation Upgrade Szafir SDK Web to version 0.17.4 or higher. Upgrade Szafir software to version 1.1.0 or higher. POC/Exploit No specific POC code or exploit code is provided in the document. Only textual descriptions of the vulnerabilities are included.

Goal Reached Thanks to every supporter — we hit 100%!

KSR Szafir SDK Web XSS and Integrity Check Bypass Vulnerabilities (CVE-2020-28927/28928)