CVE-2020-5339

26.03.2020, 13:15

RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators open the affected report page, the injected scripts could potentially be executed in their browser.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
dell	CNA	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 46%

Vendor	Product	Version
emc	rsa_authentication_manager	𝑥 < 8.4
emc	rsa_authentication_manager	8.4
emc	rsa_authentication_manager	8.4:p1
emc	rsa_authentication_manager	8.4:p2
emc	rsa_authentication_manager	8.4:p3
emc	rsa_authentication_manager	8.4:p4
emc	rsa_authentication_manager	8.4:p5
emc	rsa_authentication_manager	8.4:p6
emc	rsa_authentication_manager	8.4:p7
emc	rsa_authentication_manager	8.4:p8
emc	rsa_authentication_manager	8.4:p9

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://community.rsa.com/docs/DOC-111092