| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200902181726.n1IHQOSA015990@www5.securityfocus.com> Date: Wed, 18 Feb 2009 10:26:24 -0700 From: ddvulnalert@...fronline.com To: bugtraq@...urityfocus.com Subject: DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability Title ----- DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability Severity -------- Low Date Discovered --------------- January 19th 2009 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: David Marshall and r@...$ Vulnerability Description ------------------------- NetMRI contains a cross-site scripting (XSS) issue whereby portions of the GET request are echoed back in an error page. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link. Solution Description -------------------- On February 18, 2009, Netcordia released a patch named "CrossScriptPatch.gpg" to address this vulnerability in all currently supported versions of NetMRI through v3.0.1. Customers can acquire the patch through the normal mechanisms or contact Netcordia Technical Support (support@...cordia.com) for assistance. Additionally, the necessary changes will be incorporated in future versions beginning with NetMRI v3.0.2. Tested Systems / Software (with versions) ------------------------------------------ Red Hat Linux, NetMRI Vendor Contact -------------- Name: Netcordia Website: http://www.netcordia.com/products/netmri-event-analysis.asp Contact Information: http://www.netcordia.com/contact/index.asp
Powered by blists - more mailing lists