Hi.
The best practice when you find a security vulnerability:
Open an SR (Service Request) ticket with Avaya Support (
https://support.avaya.com/service-requests/enterticket.action ) providing the 'vulnerabilities.txt' file attached to the SR.
Some tips concerning the vulnerabilities mentioned above:
- HTTP Security Header Not Detected
Check the OD Developer's guide for your release on the section "Web application Security" how to set HTTP headers 'X-Content-Type-Options', 'X-Frame-Options' and 'X-XSS-Protection'.
Here the OD developer's guide 7.2 (
https://kb.avaya.com/resources/sites/AVAYA/content/live/FAQ/101000/FAQ101327/en_US/Orchestration%20Designer%20Developer%27s%20Guide.pdf )
- AutoComplete Attribute Not Disabled for Password in Form Based Authentication
OD 8.1 Release Notes
https://www.devconnectprogram.com/fileMedia/download/7481d19e-975b-4208-9749-f25396d56456 on the page 4 says
"In this release, speech application html mode is configurable. By default it is DISABLED for ALL speech applications in both simulation and deployment. You can use the project properties to enable
HTML mode in the development environment. When you export you also have an opportunity to enable or disable this setting. When you enable you are warned “Warning, enabling HTML mode for a
speech application can expose your application to cross site scripting attacks. Are you sure you want to enable this?” Note, Avaya recommends to NOT use HTML mode for deployed applications as the
application will NOT function properly when accessing platform services (notification, reporting, CAV, and etc.). Furthermore, HTML mode exposes your application to cross site scripting attacks."
Please check the Release Notes of your OD version.
