Security Issues Resolved in 2025.09
The following issues related to FlexNet Operations security were addressed in the 2025.09 release.
| • | HTML Injection Vulnerability Mitigation for FlexNet Operations Portals |
| • | Resolved Access Control Vulnerability for Agreements |
HTML Injection Vulnerability Mitigation for FlexNet Operations Portals
(SWM-28029, SWM-28051, SWM-28025)
FlexNet Operations was found to be vulnerable to HTML injection across several input fields in both the End-User Portal and the Producer Portal. The affected areas included:
| • | Fields in the End-User Portal on the Create Account and Edit Account pages: |
| • | Account ID |
| • | Account Name |
| • | Fields in the Producer Portal on the Create Server Host Type page and Edit Server Host Type pages: |
| • | Server Host Type Name |
| • | Description |
| • | Name |
| • | Fields in the Producer Portal on the Entitle Customers to Licenses page: |
| • | Description |
| • | Ship-to email |
| • | Ship-to mail |
These fields previously allowed injection of unauthorized HTML content, posing significant security risks. To mitigate these vulnerabilities, input sanitization and validation mechanisms have been implemented. The affected fields now properly handle and neutralize any malicious HTML content. If a user attempts to inject HTML, they will receive an “HTML tags not allowed” error message, as shown in the following screenshots:
Error message when attempting to use HTML in the input fields of the Edit Account page.
Error message when attempting to use HTML in the input fields of the Create Server Host Type page.
Error message when attempting to use HTML in the input fields of the Entitle Customers To Licenses | Create An Entitlement page.
Note:These changes do not affect existing fields that already contain HTML tags.
Resolved Access Control Vulnerability for Agreements
(SWM-28053)
This release addresses a previously identified broken access control vulnerability that allowed low-privilege users to access transaction details for agreements they were not authorized to view (under Products > List Agreements).
Low-privilege users can no longer view, download, or access transaction details for agreements outside their permission scope.