CVE-2019-18574

03.12.2019, 21:15

RSA Authentication Manager software versions prior to 8.4 P8 contain a stored cross-site scripting vulnerability in the Security Console. A malicious Security Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface which could then be included in a report. When other Security Console administrators open the affected report, the injected scripts could potentially be executed in their browser.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
dell	CNA	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Vendor	Product	Version
emc	rsa_authentication_manager	8.4
emc	rsa_authentication_manager	8.4:p1
emc	rsa_authentication_manager	8.4:p2
emc	rsa_authentication_manager	8.4:p3
emc	rsa_authentication_manager	8.4:p4
emc	rsa_authentication_manager	8.4:p5
emc	rsa_authentication_manager	8.4:p6
emc	rsa_authentication_manager	8.4:p7
rsa	authentication_manager	𝑥 < 8.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://www.dell.com/support/security/en-us/details/DOC-109297/DSA-2019-168-RSA&#174%3B-Authentication-Manager-Software-Stored-Cross-Site-Scripting-Vulnerability