Novell IDM Cross Site Scripting and HTML Injection Vulnerabilities
BID:30952
Info
Novell IDM Cross Site Scripting and HTML Injection Vulnerabilities
| Bugtraq ID: | 30952 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 29 2008 12:00AM |
| Updated: | Sep 02 2008 10:34PM |
| Credit: | Novell |
| Vulnerable: |
Novell User Application 3.5.1 Novell User Application 3.5 Novell User Application 3.0.1 Novell Identity Manager Roles Based Provisioning Module 3.6.1 Novell Identity Manager Roles Based Provisioning Module 3.6 |
| Not Vulnerable: | |
Discussion
Novell IDM Cross Site Scripting and HTML Injection Vulnerabilities
Novell User Application and Identity Manager Roles Based Provisioning Module are prone to multiple security vulnerabilities, including multiple HTML-injection issues and a cross-site scripting issue.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user. Other attacks are also possible.
The following versions of Novell User Application are vulnerable:
3.0.1
3.5.0
3.5.1
The following versions of Novell Identity Manager Roles Based Provisioning Module are vulnerable:
3.6.0
3.6.1
Novell User Application and Identity Manager Roles Based Provisioning Module are prone to multiple security vulnerabilities, including multiple HTML-injection issues and a cross-site scripting issue.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user. Other attacks are also possible.
The following versions of Novell User Application are vulnerable:
3.0.1
3.5.0
3.5.1
The following versions of Novell Identity Manager Roles Based Provisioning Module are vulnerable:
3.6.0
3.6.1
Exploit / POC
Novell IDM Cross Site Scripting and HTML Injection Vulnerabilities
An attacker can exploit these issues through a browser. To exploit a cross-site scripting vulnerability, the attacker must entice an unsuspecting victim into following a malicious URI.
An attacker can exploit these issues through a browser. To exploit a cross-site scripting vulnerability, the attacker must entice an unsuspecting victim into following a malicious URI.
Solution / Fix
Novell IDM Cross Site Scripting and HTML Injection Vulnerabilities
Solution:
The vendor has released patches and updates. Please see the references for more information.
Solution:
The vendor has released patches and updates. Please see the references for more information.
References
Novell IDM Cross Site Scripting and HTML Injection Vulnerabilities
References:
References:
- Novell SA 5033820 - IDM Roles Based Provisioning Module 361 Field Patch A (Novell)
- Novell SA 5033840 - IDM User Application 351 Field Patch V (Novell)
- Novell SA 5033841 - IDM Roles Based Provisioning Module 360 Field Patch C (Novell)
- Novell SA 5033860 - IDM User Application 350 Field Patch AD (Novell)
- Novell SA 5033880 - IDM User Application 301 Field Patch R (Novell)
- Novell SA 7001157 - Cross-Site Scripting vulnerability in the User Application (Novell)