Detections
Analytics
BlackBerry Enterprise Service (BES) Management Console 12.x < 12.4.1 Multiple XSS
medium Nessus Plugin ID 91460
Language:
Synopsis
The remote host is running an application that is affected by multiple cross-site scripting vulnerabilities.Description
According to its self-reported version, the BlackBerry Enterprise Service (BES) management console running on the remote host is prior to 12.4.1. It is, therefore, affected by the following vulnerabilities :- A cross-site scripting vulnerability exists due to improper validation of crafted admin policies. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-1916)
- Multiple unspecified cross-site scripting vulnerabilities exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-1917, CVE-2016-1918, CVE-2016-3126)
Solution
Upgrade to BlackBerry Enterprise Service version 12.4.1 or later.See Also
http://support.blackberry.com/kb/articleDetail?articleNumber=000038117
http://support.blackberry.com/kb/articleDetail?articleNumber=000038118
http://support.blackberry.com/kb/articleDetail?articleNumber=000038119
Plugin Details
Severity: Medium
ID: 91460
File Name: blackberry_es_12_4_1.nasl
Version: 1.5
Type: combined
Family: CGI abuses : XSS
Published: 6/3/2016
Updated: 11/19/2019
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.0
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2016-3126
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Temporal Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:blackberry:blackberry_enterprise_service
Required KB Items: installed_sw/BlackBerry Enterprise Service
Exploit Ease: No exploit is required
Patch Publication Date: 4/12/2016
Vulnerability Publication Date: 4/12/2016
Reference Information
CVE: CVE-2016-1916, CVE-2016-1917, CVE-2016-1918, CVE-2016-3126