Overview
This plugins allows to generate DOCX files from a DOCX template and an XML data model from Appian. It also allows to convert a DOCX into PDF through an opensource (with limited capabilities) library.
Key Features & Functionality
Hi Team,
Kindly let me know whether the vulnerabilities are addressed in the new version V1.0.8.
Thanks!
Hi,
Please find the vulnerability issues while scanning this plugin.
Apache Commons Compress:The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Apache POI:In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
Apache Xerces2 J:There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
iText, a JAVA-PDF library:The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.iText is vulnerable to a stack-based buffer overflow. An attacker could exploit this flaw by tricking a victim in to running a maliciously crafted file on the application leading to a denial-of-service (DoS) condition.
Kindly help to check. Thanks in advance!
Hello, I am using the Advanced Document Template plugin, to generate a docx but I can not include an image. Any example of how I have to code the docx to show me the image? Thanks a lot
Hi Daniel, thanks for your response. Part of the confusion in our case was that we also use the Dynamic Document Generator plug-in which also lists a PDF from docx as smart service. We get headers and footers using 'PDF from DOCX' but not when we use it on a merged word file after using 'DOCX merge' from Dynamic Document Generator'.
We have it installed and it shows in the smart service within the Process Modeler. However, when we are trying to convert a DOCX to PDF using the smart service we are currently unable to get the DOCX header and footer to appear in the PDF. Also, it looks like the documentation does not address the PDF from DOCX.
Hi all, in the description it is stated that the ADT plug-in contains both 'DOCX From Template' and 'PDF Document From DOCX' smart services. Can anyone confirm that 'PDF Document From DOCX' is actually included in the installation as I cannot seem to find the smart service in the process modeler in Appian. Thank you.
Hi , we are using this plug in and would like to have the plug in to be updated with latest version of freemarker. it would be great if you could let us know when this can be available. thank you.
Hi, we have used this plugin in our application. In light of the recent discovery of vulnerabilities with log4j2, we would like to know if this plugin uses the affected version Log4j2, and if yes, would you release an updated version of this plugin to counter the exploit of vulnerability?
Guys... Appian support has confirmed that the vulnerability applies only to log4J 2.x and since this plugin 1.x it shouldn't be an issue.