Cross-site scripting in RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance - CVE-2019-3761
Published: September 11, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35500
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-3761
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: RSA
Affected software:
RSA Identity Governance and Lifecycle
RSA Via Lifecycle and Governance
RSA Identity Governance and Lifecycle
RSA Via Lifecycle and Governance
Detailed vulnerability description
The vulnerability allows a remote authenticated user to read and manipulate data.
The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a stored cross-site scripting vulnerability in the Access Request module. A remote authenticated malicious user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers, the stored malicious code would gets executed by the web browser in the context of the vulnerable web application.
How to mitigate CVE-2019-3761
Install update from vendor's website.