[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CodeMeter WebAdmin Cross-site Scripting (XSS) Vulnerability
Vulnerability title: CodeMeter WebAdmin Cross-site Scripting (XSS) Vulnerability
CVSS Risk Rating: 3.9 (Low)
Product: CodeMeter WebAdmin
Application Vendor: Wibu-Systems
Vendor URL: http://www.codemeter.de
Public disclosure date: 5/30/2011
Discovered by: Rob Kraus and the Solutionary Engineering Research Team (SERT)
Solutionary ID: SERT-VDN-1007
Solutionary public disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/CodeMeter-WebAdmin.html
Licenses.html (BoxSerial parameter)
Affected software versions: WebAdmin version 3.30 and 4.30 (previous versions may also be vulnerable)
Impact: Successful attacks could disclose sensitive information about the user, session, and application to the attacker, resulting in a loss of confidentiality. Using XSS, an attacker could insert malicious code into a web page and entice naïve users to execute the malicious code.
Fixed in: Pending - The vendor has logged the issue and anticipates a patch to be available in Autumn 2011.
Remediation guidelines: Restrict access to internal network segments and monitor vendor notifications for application updates that may address and fix the issues identified. Remove the hardware dongle from the affected system when not needed.