RSA Products Cross Site Scripting

Published
Credit
Risk
2017.06.12
Lukasz Plonka
Low
CWE
CVE
Local
Remote
CWE-79
CVE-2017-5004
CVE-2017-5003
No
Yes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

EMC Identifier: EMC-2017-064

CVE Identifier: CVE-2017-5003, CVE-2017-5004



Severity Rating: CVSS v3 Base Score: Please view details below for individual CVE scores.



Affected Products:
RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels
RSA Via Lifecycle and Governance version 7.0, all patch levels
RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels



Summary:

RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG contain fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise an affected system.



Details:



Reflected Cross Site Scripting Vulnerabilities (CVE-2017-5003)
The RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products are affected by multiple reflected cross-site scripting vulnerabilities. An unauthenticated remote attacker may potentially exploit these vulnerabilities to execute arbitrary HTML in the users browser session in the context of the affected system.



CVSSv3 Base Score: 8.2/High (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)



Stored Cross Site Scripting Vulnerabilities (CVE-2017-5004)
The RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products are affected by multiple stored cross-site scripting vulnerabilities. A low privileged remote attacker may potentially exploit these vulnerabilities to execute arbitrary HTML in the users browser session in the context of the affected system.


CVSSv3 Base Score: 7.6/High (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N)



Recommendation:

The following RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG releases contain resolutions to these vulnerabilities:
RSA Identity Governance and Lifecycle 7.0.2: 7.0.2 P01 or later
RSA Identity Governance and Lifecycle 7.0.1: 7.0.1 P03 or later
RSA Via Lifecycle and Governance 7.0: Requires upgrading to 7.0.1 P03 or later
RSA Identity Management and Governance 6.9.1: 6.9.1 P23 or later



RSA recommends all customers upgrade at the earliest opportunity.



Customers can obtain the documentation and software for these releases by downloading them from the Downloads area on RSA Identity Governance and Lifecycle space of RSA Link.



Credits:
RSA would like to thank Lukasz Plonka for reporting this vulnerability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZOY09AAoJEHbcu+fsE81ZgQgH/R09z8L9gNLFaXwEzKB0/93N
ECsRg9kCuiQcCD9GVH51K8k/b+QIN9nHKPNphRhGn9EVuQi/oMIxCN6ZydNA0AXc
vodwfjPtVKPivE9lSm2YmHXGIHwwW5Cl+ndqWzcy4j9Ep4VCZGAzbxKHct82VoSV
gaoODYePstbwto/g6SfigWGK73eb9AjzpK1HYj34sWYFN7N+Uy2pfBTAJz+9sQGq
N74UTErIIAz6+WICZ8eHHu9ap6qoznR7jJ5vX/Tnq59vxOPfYQGlyVmG4Gnp5g8M
vYmKA5Kpre/hlJUsGvNS7s0xmV+e51CzGzu8Q0XeLsLWhQtTY4Zd6ZORx5+qWbQ=
=wmOY
-----END PGP SIGNATURE-----


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com