SNS XSS

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2018-006 10/19/2018 medium v1

Vulnerability details

A self-XSS has been found in the command line interface of the SNS web interface.

Products

ProductSeverityDetail
Stormshield Network Security medium SNS is impacted by this XSS.
Stormshield Endpoint Security

None

NA
Stormshield Data Security

None

NA
Fast360

None

NA
Netasq

None

NA

Revisions

Version Date Description
v1  02/07/2019 Initial release
v2 02/08/2019 Fix issue about SNS 2.13 being impacted

 



Stormshield Network Security

CVSS Overall Score: 4.7      

Analysis

Impacted version

A self-XSS has been found in the command line interface of the SNS web interface.

It allows an attacker that already has access to the administration interface to inject javascript code.
The javascript code will be persisted during login/logout from the administration interface.
It could be used by an attacker as a backdoor and thus persist his access to the system.

  • SNS 3.0.0 to 3.7.1
  • SNS 2.0.0 to 2.13.0

Workaround solution

Solution

There is no workaround solution.

The 3.7.2 and 3.8.0 update fix this vulnerability.



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Local High Single Complete Complete Complete
CVSS Base score: 6 CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C)
Exploitability Remediation Level Report Confidence
Proof of concept code Official fix Confirmed
CVSS Temporal score: 4.7 CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
None High [76-100%]
CVSS Environmental score: 4.7 CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C/CDP:N/TD:H)