XSS with SNS update service
| Advisory ID | CVE Number | Date discovered | Severity | Advisory revision |
|---|---|---|---|---|
| STORM-2019-016 | 08/20/2019 | medium | v2 |
Vulnerability details
An attacker can inject an XSS in the SNS webadmin by spoofing the SNS update webservice, an administrator session can be hijacked or the security of his browser can become compromised.
Impacted products
| Products | Severity | Detail |
|---|---|---|
| Stormshield Network Security | medium | Vulnerable |
Revisions
| Version | Date | Description |
|---|---|---|
| v1 | 08/20/2019 | Initial release |
| v2 | 10/07/2019 | Add SNS 2.x fix versions |
Stormshield Network Security |
CVSS v2 Overall Score: 5.7
|
Analysis |
Impacted version |
|
An attacker can inject an XSS in the SNS webadmin by spoofing the SNS update webservice, an administrator session can be hijacked or the security of his browser can become compromised. |
|
Workaround solution |
Solution |
|
There is no workaround solution. |
The SNS 2.7.5, 2.15.0, 3.7.7 and 3.9.1 updates will fix this vulnerability. |
| Access vector | Access complexity | Authentication | Confidentiality impact | Integrity impact | Availability impact |
|---|---|---|---|---|---|
| Adjacent Network | Low | Single | Complete | Complete | Complete |
| CVSS Base score: 7.7 | CVSS Vector: (AV:A/AC:L/Au:S/C:C/I:C/A:C) |
| Exploitability | Remediation Level | Report Confidence |
|---|---|---|
| Unproven that exploit exists | Official fix | Confirmed |
| CVSS Temporal score: 5.7 | CVSS Vector: (AV:A/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C) |
| Collateral Damage Potential | Target Distribution |
|---|---|
| None | High [76-100%] |
| CVSS Environmental score: 5.7 | CVSS Vector: (AV:A/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND) |