BusinessObjects XI cms Cross-Site Scripting Vulnerability - Security


Editor Login \| Register		Ekle

> World > Security

BusinessObjects XI cms Cross-Site Scripting Vulnerability - Security - World -

CWRedLight

(Date : 17.04.2008 20:37:39)

BusinessObjects XI cms Cross-Site Scripting Vulnerability

Secunia Advisory:	SA29804
Release Date:	2008-04-17

Critical:	Less critical
Impact:	Cross Site Scripting
Where:	From remote
Solution Status:	Vendor Patch

Software:	BusinessObjects XI 3.x

Description:
Sebastien gioria has reported a vulnerability in BusinessObjects XI, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "cms" parameter when logging in is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user"s browser session in context of an affected site.

The vulnerability is reported in BusinessObjects XI R2 SP1, SP2, and SP3 prior to FixPack 3.5 (Java version).

NOTE: The .NET version is reportedly not affected.

Solution:
Apply FixPack 3.5.
http://support.businessobjects.com/downloads/critical_hot_fixes/default.asp

Provided and/or discovered by:
Sebastien gioria

Original Advisory:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061428.html

Derecelendir

Kaynak

http://secunia.com/advisories/29804/

İçerik İhbarı

Bağlantılar: bilgininefendisi.net

Open Source Document Project

AUP&TOS