CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
72.3%
An XSS vulnerability exists in the Imperva SecureSphere management GUI.
Dell SecureWorksβ SWRX-2011-001 advisory states:
_"_A vulnerability exists in Imperva SecureSphere due to improper validation of user-controlled input. User-controllable input is not properly sanitized for illegal or malicious content prior to being stored and later returned to an administrator in dynamically generated web content. Remote attackers could leverage this issue to conduct persistent cross-site scripting attacks. When the malicious content is viewed, arbitrary script or HTML code injected into the affected database field will be executed in the SecureSphere administrative userβs browser session in the security context of the SecureSphere administrative GUI. Successful exploitation may aid an attacker in retrieving session cookies, stealing recently submitted data, or launching further attacks."
Additional details can be found in Impervaβs advisory, Imperva Security Response for CVE-2011-0767.
An attacker may be able to execute arbitrary script in the security context of the userβs browser session accessing the management GUI.
Apply an Update
The following patches should be applied to the relevant SecureSphere version:
* SecureSphere 6.2 \tReleases 6442-6463 Patch 30
* SecureSphere 7.0\tReleases 7061-7078 Patch 22
* SecureSphere 7.5 \tRelease 7564 Patch 10
* SecureSphere 8.0 \tRelease 8265 Patch 3
* SecureSphere 8.5 \tRelease 8.5 Patch 1
567774
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: May 31, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Sean Talbot of Dell SecureWorks for reporting this vulnerability.
This document was written by Jared Allar.
CVE IDs: | CVE-2011-0767 |
---|---|
Severity Metric: | 1.61 Date Public: |