Cross-Site Scripting Vulnerability in NI Web Server Component

NI recommends that users upgrade the affected software products to fix against this issue.  Refer to the Affected Products section below.   

NI strongly recommends updating the affected products; however, if updating is not possible, the following workarounds can be used as a temporary measure.

Systems with the affected products are only vulnerable to this issue if the NI Web Server is enabled. If the system does not require the NI Web Server, it can be disabled through the NI Web Server Configuration application.

1. Open the NI Web Server Configuration application. 

• If the NI Web Server wasn’t previously enabled, you will see an NI Web Server Guided Setup screen upon launching the application, and no further action is required. Otherwise, continue with the steps to disable the NI Web Server.

2. Select the Control tab
3. Select the Disable the web server option
4. Click the Apply button. The Web Server is now disabled.

If the NI Web Server is required for your system, the following file should be modified:  

1. Navigate to <Program Files>\National Instruments\Shared\Web Server\htdocs\login\
2. Open the file redirect.shtml using a text editor. 

• Note:  If this file does not exist, your system is not susceptible to the vulnerability. No further action is required.

3.  Replace the contents of the file with the following:

<script>
    var authRedirectUri = '<!--#echo encoding=base64 var=AUTH_REDIR_URI -->';
    var redirect = `${window.location.origin}/#login?external=${atob(authRedirectUri)}`;
    window.location.href = redirect;
</script>>

CVE-2022-27237 - 8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

• External Link: CVE-2022-27237
• External Link: CWE-79