RSA Products Cross Site Scripting

2017.06.12
Credit: Lukasz Plonka
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 EMC Identifier: EMC-2017-064 CVE Identifier: CVE-2017-5003, CVE-2017-5004 Severity Rating: CVSS v3 Base Score: Please view details below for individual CVE scores. Affected Products: RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels RSA Via Lifecycle and Governance version 7.0, all patch levels RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels Summary: RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG contain fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise an affected system. Details: Reflected Cross Site Scripting Vulnerabilities (CVE-2017-5003) The RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products are affected by multiple reflected cross-site scripting vulnerabilities. An unauthenticated remote attacker may potentially exploit these vulnerabilities to execute arbitrary HTML in the users browser session in the context of the affected system. CVSSv3 Base Score: 8.2/High (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) Stored Cross Site Scripting Vulnerabilities (CVE-2017-5004) The RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products are affected by multiple stored cross-site scripting vulnerabilities. A low privileged remote attacker may potentially exploit these vulnerabilities to execute arbitrary HTML in the users browser session in the context of the affected system. CVSSv3 Base Score: 7.6/High (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) Recommendation: The following RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG releases contain resolutions to these vulnerabilities: RSA Identity Governance and Lifecycle 7.0.2: 7.0.2 P01 or later RSA Identity Governance and Lifecycle 7.0.1: 7.0.1 P03 or later RSA Via Lifecycle and Governance 7.0: Requires upgrading to 7.0.1 P03 or later RSA Identity Management and Governance 6.9.1: 6.9.1 P23 or later RSA recommends all customers upgrade at the earliest opportunity. Customers can obtain the documentation and software for these releases by downloading them from the Downloads area on RSA Identity Governance and Lifecycle space of RSA Link. Credits: RSA would like to thank Lukasz Plonka for reporting this vulnerability. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJZOY09AAoJEHbcu+fsE81ZgQgH/R09z8L9gNLFaXwEzKB0/93N ECsRg9kCuiQcCD9GVH51K8k/b+QIN9nHKPNphRhGn9EVuQi/oMIxCN6ZydNA0AXc vodwfjPtVKPivE9lSm2YmHXGIHwwW5Cl+ndqWzcy4j9Ep4VCZGAzbxKHct82VoSV gaoODYePstbwto/g6SfigWGK73eb9AjzpK1HYj34sWYFN7N+Uy2pfBTAJz+9sQGq N74UTErIIAz6+WICZ8eHHu9ap6qoznR7jJ5vX/Tnq59vxOPfYQGlyVmG4Gnp5g8M vYmKA5Kpre/hlJUsGvNS7s0xmV+e51CzGzu8Q0XeLsLWhQtTY4Zd6ZORx5+qWbQ= =wmOY -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top