ES is the new Enterprise Solution from DALIM SOFTWARE built from the successful TWIST, DIALOGUE and MISTRAL product lines. The ES Core is the engine that can handle project tracking, JDF device workflow, dynamic user interface building, volume management. Each ES installation will have different features, depending on the license installed: online approval, prepress workflow, project tracking, imposition management...
ES is a collaborative digital asset production and management platform, offering services ranging from online approval to web-based production environment for all participants of the production cycle, including brand owners, agencies, publishers, pre-media, printers and multichannel service provider. ES lets users plan, execute and control any aspect of media production, regardless of the final use of the output (print, web, ebook, movie, and others). It ensures productivity and longterm profitability.
A server-side request forgery (SSRF) vulnerability exists in the DALIM Web Service management interface within the XUI servlet functionality. The DALIM web services are a set of tools used by the different DALIM SOFTWARE applications: TWIST, MISTRAL and ES. It provides file sharing capabilities, JDF devices, JDF controller, and job spooling management. The application parses user supplied data in the GET parameter 'screen' to construct a page request to the service. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make a HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application.