Worldwide Support Fast. Reliable. Diligent

This section provides an overview of all critical uniFLOW security advisories. For further information regarding these advisories please contact your local Canon office, authorized reseller or NT-ware support representative. Access to the NT-ware Knowledgebase is granted to all local Canon offices and authorized resellers to receive more detailed information and patches.

October 19th 2018 | Security Advisory
The following security advisory has been released for uniFLOW:

uniFLOW Authentication issue
We have identified an issue that exists under certain circumstances when using uniFLOW. In some cases, it may be possible to gain unauthorized access to uniFLOW. NT-ware has issued a hotfix to resolve the issue. The issue only affects the following versions of the software when used with certain authentication methods: uniFLOW V5.1 SRx, uniFLOW V5.2 SRx, uniFLOW V5.3 SRx, uniFLOW V5.4 SRx, uniFLOW 2018 LTS SRx, and uniFLOW 2018 v-Releases.

Please find instructions to install the hotfix here: uniFLOW Security Advisory Hotfix Instructions

We strongly recommend that the fix will be implemented as soon as possible. If you need assistance, please contact your authorized dealer or support representative.

May 22nd 2017 | Security Advisory
The following security advisory has been released for all versions of uniFLOW:

Sniffing network packages to webcall.asp possible
- Hotfix available
- Service Release Fix: uniFLOW V5.4 SR9
- Further information on ITS: MOMKB-907

December 09th 2014 | Security Advisory
The following security advisory has been released for all versions of uniFLOW:

"POODLE" exploit (SSL 3.0 vulnerability)
- Hotfix not planned
- Service Release Fix: see MOMKB-759
- Further information on ITS: MOMKB-759

April 11th 2014 | Security Advisory
The following security advisory has been released for uniFLOW V5.1 and V5.2:

Heartbleed Bug (OpenSSL vulnerability)
- Hotfix available for uniFLOW V5.2 SR2
- Service Release Fix will be available for uniFLOW V5.1 SR9 and V5.2 SR3
- Further information on ITS: MOMKB-759

December 4th 2013 | Security Advisory
The following security advisories have been released by NT-ware for uniFLOW V5.2 SR1 and older:

Stored and reflected Cross Site Scripting (XSS)
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-733

Arbitrary command execution
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-734

Inadequate Access Control
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-735

Potential credential stealing on IG
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-736

Use of dangerous functions in the IG code
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-737

Arbitrary file write on IG
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-738

SQL Injection
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-739

Information disclosure through the header response of the IG server
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-740

Weak CAPTCHA security
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-741

Passwords stored in plain text in the IG database
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-742

Arbitrary file delete on uniFLOW server
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-74

Cross site request forgery (uniFLOW server)
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-744

May 8th 2013 | Security Advisory
The following four security advisories has been released for uniFLOW V5.1.0 – V5.1.6 and uniFLOW V5.2

Authentication with user name and PIN-code on PWCLIENT and PWRQM
- Hotfix availability: in planning
- Service Release Fix: uniFLOW V5.1.7, V5.2 SR1
- Further information on ITS: MOMKB-705

December 8th 2011 | Security Advisory
The following four security advisories have been released for uniFLOW V5.0.5 and uniFLOW V5.1.1

Password in HTML Source
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-581

SQL Injection
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-583

Persistent/Stored XSS
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-584

Unencrypted communication between MEAP Module and RPS
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-585