The vendor has released a new version, 5.5.1.84, which addresses this issue. Users are advised to update their installations as soon as possible. For users who cannot update their software, or who are concerned about risk, there are a couple of workarounds that users can implement to mitigate this risk.
Use SSL/TLS for all remote connections
One way to avoid potential malicious users intercepting your cookie is to use SSL/TLS for all remote connections. This is a secure connection that encrypts information in transit between the browser and web server.
Disabling SSLv3
SSLv3 is an older, more vulnerable version of SSL. The vendor has issued a new version, 5.5.1.84, which supports TLS 1.2 and is the most up-to-date release available. Users are advised to update their installations as soon as possible and use the latest, more secure version that is available to them on the vendor's website.
Disable IPv6 on the network interface
This would prevent any IPv6 traffic from reaching the system.
Install the https Version of oXygen XML Editor
If you cannot update your software, or if you are concerned about the risk, there are a couple of workarounds that users can implement to mitigate this risk. One remedy is to only use the HTTPS version of oXygen XML Editor. This mitigation requires you to make changes to your environment, but it will reduce your exposure and prevent an attacker from exploiting this vulnerability.
The other option for mitigating this risk is for users to install a "fix" for the issue in their application. The vendor has released a new version, 5.5.1.84, which addresses this issue and should be applied as soon as possible. Users who have already installed 5.5.0 can upgrade their installation to 5.5.1 without reinstalling their software
Timeline
Published on: 09/23/2022 00:15:00 UTC
Last modified on: 09/24/2022 02:03:00 UTC