lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <64a852af0709120221y291c2973k4141eb0dd3cf5014@mail.gmail.com>
Date: Wed, 12 Sep 2007 10:21:55 +0100
From: "Stelios Tigkas" <stigkas@...il.com>
To: bugtraq@...urityfocus.com
Subject: RSA EnVision Reflected XSS Hole

#########################################
Application:           RSA EnVision
Vendor:                http://www.rsa.com
Version:                Version 3.3.6 Build 0115
Bug:                     Cross-Site Scripting
Risk:                     Medium
Date:                     12 Sept 2007
Author:                  Stelios Tigkas
e-mail:                   Stigkas at Gmail dot com
Current Employer:   Fujitsu Services
List:                       BugTraq(SecurityFocus)
#########################################


=======
Product
=======
A Security Event Management Solution.

===
Bug
===

There is a Reflected (Type I) Cross-Site Scripting hole on the
username field, in the logon page of the EnVision application. The
following attack vector has been confirmed by the Vendor to work:
</script><script>alert(document.cookie)</script>.

RSA have been notified on 23.03.2007

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ