Multiple vulnerabilities in RSA Archer eGRC

Published: 2018-03-07 16:35:50 | Updated: 2018-03-07 16:37:31
Severity Low
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2018-1220
CVE-2018-1219
CVSSv3 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-601
CWE-284
Exploitation vector Network
Public exploit Not available
Vulnerable software RSA Archer
Vulnerable software versions RSA Archer 6.2.0.5
RSA Archer 6.2.0.0
RSA Archer 6.2.0.1
Show more
Vendor URL EMC Corporation

Security Advisory

1) Open redirect

Description

The vulnerability allows a remote unauthenticated attacker to redirect the target user to external websites.

The weakness exists in the QuickLinks feature due to improper validation of user-supplied input. A remote attacker can use a specially crafted image link, trick the victim into opening it and redirect users to malicious websites.

Remediation

Update to version 6.2.0.8.

External links

http://seclists.org/fulldisclosure/2018/Mar/12

2) Information disclosure

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The weakness exists due to access control flaw in an API. A remote attacker can determine valid usernames on the target system.

Remediation

Update to version 6.2.0.8.

External links

http://seclists.org/fulldisclosure/2018/Mar/12

Back to List