Vulnerability identifier: #VU7496
Vulnerability risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-79
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
RSA Via Lifecycle and Governance
Client/Desktop applications /
Encryption software
RSA Identity Governance and Lifecycle
Client/Desktop applications /
Encryption software
RSA Identity Management and Governance
Client/Desktop applications /
Encryption software
Vendor: RSA
Description
The disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Mitigation
Update RSA Identity Governance and Lifecycle to versions 7.0.1 P03, 7.0.2 P01.
Update RSA Via Lifecycle and Governance to version 7.0.1 P03.
Update RSA Identity Management and Governance (RSA IMG) to version 6.9.1 P23.
Vulnerable software versions
RSA Via Lifecycle and Governance: 7.0
RSA Identity Governance and Lifecycle: 7.0.1 - 7.0.2
RSA Identity Management and Governance: 6.9.1
External links
http://seclists.org/fulldisclosure/2017/Jul/24
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.