02-28-2024 02:04 PM
Looking into options for externally facing Unity Forms that would trigger Workflow to generate email notifications. Pentesters have raised concerns that this type of form triggering workflow could be vulnerable to unvalidated redirects and forwards (by intercepting the submission in a proxy tool, e.g., Burpsuite Professional, inserting a domain url controlled by an attacker, and forwarding on the submission). Consumers of downstream notifications could then be presented with the malicious url.
Has this concern come up for anyone else? Any mitigation strategies?
02-29-2024 01:18 PM
Hi
Was a formal penetration test report provided that documents this issue? If so, I would suggest opening a ticket with your first line of support so that can be forwarded to Hyland's Application Security team for further review and comment.
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.