Symantec SecurityExpressions Audit and Compliance Server Multiple XSS

high Nessus Network Monitor Plugin ID 5206

Synopsis

The remote web application is affected by multiple cross-site scripting vulnerabilities.

Description

The remote web server is running Symantec SecurityExpressions Audit and Compliance Server. The installed version is potentially affected by multiple cross-site scripting vulnerabilities :

- The web console fails to sanitize user supplied input to certain unspecified parameters. An authorized user may be able to exploit this issue to inject arbitrary HTML script code into an user's browser to be executed within the security context of the affected site.

- Certain error messages are not properly encoded which could be exploited by an attacker to inject arbitrary HTML content into an user's browser session.

Solution

Apply Hot Fix 1 referenced in article KB49452

See Also

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091006_00

Plugin Details

Severity: High

ID: 5206

Family: CGI

Published: 10/8/2009

Updated: 3/6/2019

Nessus ID: 42083

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:symantec:securityexpressions_audit_and_compliance_server

Patch Publication Date: 10/6/2009

Vulnerability Publication Date: 10/6/2009

Reference Information

CVE: CVE-2009-3029, CVE-2009-3030

BID: 36570, 36571