Webcon Bps
Monthly
Reflected XSS in WEBCON BPS via the '/openinmobileapp' endpoint allows unauthenticated attackers to inject arbitrary JavaScript that executes in authenticated users' browsers when a crafted URL is opened. The vulnerability requires user interaction (clicking a link) but impacts session confidentiality and integrity. Vendor-released patches are available for versions 2026.1.3.109 and 2025.2.1.293.
Reflected XSS in WEBCON BPS via the '/openinmobileapp' endpoint allows unauthenticated attackers to inject arbitrary JavaScript that executes in authenticated users' browsers when a crafted URL is opened. The vulnerability requires user interaction (clicking a link) but impacts session confidentiality and integrity. Vendor-released patches are available for versions 2026.1.3.109 and 2025.2.1.293.