SB2011100502 - Cross-site scripting in CyberArk Password Vault Web Access

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2011-0459)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in Cyber-Ark Password Vault Web Access (PVWA) 5.0 and earlier, 5.5 through 5.5 patch 4, and 6.0 through 6.0 patch 2. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://jvn.jp/en/jp/JVN11424086/index.html
• http://jvndb.jvn.jp/jvndb/JVNDB-2011-000023
• http://secunia.com/advisories/44058
• http://www.securityfocus.com/bid/47271