|
Component |
d.ecs dms |
|---|---|
|
Version |
prior to version d.velop documents Annual 2025 |
|
Created on |
|
|
Last modified on |
No Workflow Applied |
|
Review status |
No Workflow Applied |
|
KB article number |
2394161354 |
Summary
d.velop has identified injection vulnerabilities in the d.ecs dms (d.velop documents web client) component of d.velop documents, which could potentially allow unauthorized access to data in your system. The vulnerabilities are of the cross-site scripting (XSS) and HTML injection type and allow attackers to execute arbitrary code in the user's browser or manipulate the user interface if users are tricked into clicking on a crafted link.
d.velop has not yet observed any exploitation of the vulnerability by customers and recommends a well-planned and sufficiently prepared installation of the update.
Important requirements
If you use d.velop documents in the cloud, your system is already automatically up to date. No further action is required.
If you use d.velop documents on-premises, you will find the affected versions below and the corresponding recommendations for action in the Solution section.
These vulnerabilities affect all older versions of the d.ecs dms component. Please refer to our knowledge base article to identify the version you are using.
Solution
The vulnerabilities have been fixed in the following versions:
-
Annual feed: d.ecs dms 3.0.37 in the d.velop documents version Annual 2025 patch 12b
-
Current feed: d.ecs dms 4.0.15 in the d.velop documents version Current 2026.Q1 patch 3b
The updates are provided in d.velop software manager. Update the software to the versions listed above.
CVSS
Base Score: 8.1 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N