NN-2019:1-01
Stored XSS in field name data model
Last update: 2019-11-11
| Advisory ID | NN-2019:1-01 |
|---|---|
| Topic | Stored XSS in field name data model |
| CWE Impact | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| Issue date | 2019-11-11 |
| Affects | Guardian, CMC < v19.0.4 |
| CVE Name(s) | NA |
| CVSS details | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N |
| CVSS Score | 7.6 |
| CVE Risk Level | High |
| Risk Level for Nozomi customers | Medium |
Summary
An attacker with admin access to the appliance can inject malicious code that will later be executed by another legitimate users. This allows an attacker to perform unauthorized actions on behalf of legitimate users. JavaScript injection was possible using the field name when adding new column to the data model section. The injected code will then be executed in the environment section under e.g. asset view.
Impact
Guardian/CMC starting before v19.0.4 are affected.
Affected Products
Guardian, CMC < v19.0.4
Workarounds and Mitigations
Not required
Solutions
Upgrade to v19.0.4
Modification History
2019-11-11: Initial revision
Related Links
Acknowledgements
Jonas Becker - Deloitte GmbH
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.