Meridio Document and Records Management has been identified as being vulnerable to an embedded Cross Site Scripting attack that could potentially allow remote attackers to inject JavaScript into the application. This would then be executed within the context of the browser of the application user.

The impact of this attack is only limited by the creativity of the attacker exploiting this vulnerability. The most dangerous form of XSS involves hostile code being permanently stored within the application. This means the embedded code would be executed by every user accessing the affected page and this is the case in this instance.

Meridio have addressed this vulnerability and implemented a fix in version 4.3 SR1 and higher.  The full advisory can be viewed here.