Scrutinizer Multiple Security Vulnerabilities

Bugtraq ID:	52989
Class:	Unknown
CVE:	CVE-2012-1258 CVE-2012-1259 CVE-2012-1260 CVE-2012-1261
Remote:	Yes
Local:	No
Published:	Apr 12 2012 12:00AM
Updated:	Apr 12 2012 12:00AM
Credit:	Tanya Secker
Vulnerable:	Plixer International Scrutinizer 8.6.2
Not Vulnerable:	Plixer International Scrutinizer 9.0.1.19899

Scrutinizer Multiple Security Vulnerabilities

Scrutinizer is prone to cross-site scripting, SQL-injection, HTML-injection, and security-bypass vulnerabilities.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, exploit latent vulnerabilities in the underlying database, access or modify data, gain unauthorized access, or bypass certain security restrictions.

Scrutinizer 8.6.2 is vulnerable; other versions may also be affected.

Scrutinizer Multiple Security Vulnerabilities

To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting user to follow a malicious URI.

The following exploit is available:

• /data/vulnerabilities/exploits/52989.txt

Scrutinizer Multiple Security Vulnerabilities

Solution:
Reportedly the vendor has fixed the issue, however Symantec has not confirmed it. Please contact the vendor for more information.

Scrutinizer Multiple Security Vulnerabilities

References:

• Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer (Trustwave)
  
• Scrutinizer Homepage (Plixer International)