CVE-2017-8005

17.07.2017, 14:29

The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG products (RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels; RSA Via Lifecycle and Governance version 7.0, all patch levels; RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels) are affected by multiple stored cross-site scripting vulnerabilities. Remote authenticated malicious users could potentially inject arbitrary HTML code to the application.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
dell	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 41%

Vendor	Product	Version
emc	rsa_identity_governance_and_lifecycle	7.0.1
emc	rsa_identity_governance_and_lifecycle	7.0.1.1
emc	rsa_identity_governance_and_lifecycle	7.0.1.2
emc	rsa_identity_governance_and_lifecycle	7.0.1.3
emc	rsa_identity_governance_and_lifecycle	7.0.2
emc	rsa_identity_governance_and_lifecycle	7.0.2.1
emc	rsa_identity_management_and_governance	6.9.1
emc	rsa_identity_management_and_governance	6.9.1.1
emc	rsa_identity_management_and_governance	6.9.1.2
emc	rsa_identity_management_and_governance	6.9.1.3
emc	rsa_identity_management_and_governance	6.9.1.4
emc	rsa_identity_management_and_governance	6.9.1.5
emc	rsa_identity_management_and_governance	6.9.1.6
emc	rsa_identity_management_and_governance	6.9.1.7
emc	rsa_identity_management_and_governance	6.9.1.8
emc	rsa_identity_management_and_governance	6.9.1.9
emc	rsa_identity_management_and_governance	6.9.1.10
emc	rsa_identity_management_and_governance	6.9.1.11
emc	rsa_identity_management_and_governance	6.9.1.12
emc	rsa_identity_management_and_governance	6.9.1.13
emc	rsa_identity_management_and_governance	6.9.1.14
emc	rsa_identity_management_and_governance	6.9.1.15
emc	rsa_identity_management_and_governance	6.9.1.16
emc	rsa_identity_management_and_governance	6.9.1.17
emc	rsa_identity_management_and_governance	6.9.1.18
emc	rsa_identity_management_and_governance	6.9.1.19
emc	rsa_identity_management_and_governance	6.9.1.20
emc	rsa_identity_management_and_governance	6.9.1.21
emc	rsa_identity_management_and_governance	6.9.1.22
emc	rsa_identity_management_and_governance	6.9.1.23
emc	rsa_identity_management_and_governance	6.9.1.24
rsa	rsa_via_lifecycle_and_governance	7.0
rsa	rsa_via_lifecycle_and_governance	7.0.0.1
rsa	rsa_via_lifecycle_and_governance	7.0.0.2
rsa	rsa_via_lifecycle_and_governance	7.0.0.3
rsa	rsa_via_lifecycle_and_governance	7.0.0.4
rsa	rsa_via_lifecycle_and_governance	7.0.0.5

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://seclists.org/fulldisclosure/2017/Jul/24

http://www.securityfocus.com/bid/99591

http://www.securitytracker.com/id/1038877

http://seclists.org/fulldisclosure/2017/Jul/24

http://www.securityfocus.com/bid/99591

http://www.securitytracker.com/id/1038877