EMC RSA Authentication Manager < 8.4 P10 Multiple Vulnerabilites (DSA-2020-052)

medium Nessus Plugin ID 135179

Synopsis

An application running on the remote host is affected by an insecure credential management vulnerability.

Description

The version of EMC RSA Authentication Manager running on the remote host is prior to 8.4 Patch 10. It is, therefore, affected by multiple vulnerabilities:

- A cross-site scripting (XSS) vulnerability exists in Security Console due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this to store code in a Security Console report that will then be run by other Security Console administrators accessing a report page. (CVE-2020-5339)

- A cross-site scripting (XSS) vulnerability exists in Security Console due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this to store code in a Security Console default security domain mapping that will then be run by other Security Console administrators attempting to change the default security domain mapping. (CVE-2020-5340)

Solution

Upgrade to EMC RSA Authentication Manager version 8.4 Patch 10 or later.

See Also

https://nvd.nist.gov/vuln/detail/CVE-2020-5339

http://www.nessus.org/u?e1e30067

Plugin Details

Severity: Medium

ID: 135179

File Name: emc_rsa_am_8_4_p10.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 4/2/2020

Updated: 4/24/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2020-5339

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:emc:rsa_authentication_manager, cpe:/a:rsa:authentication_manager

Required KB Items: installed_sw/EMC RSA Authentication Manager

Exploit Ease: No known exploits are available

Patch Publication Date: 2/26/2019

Vulnerability Publication Date: 2/26/2019

Reference Information

CVE: CVE-2020-5339

BID: 107210

IAVB: 2020-B-0017-S