Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Sun Alert 243386 Multiple Security Vulnerabilities in Sun Java System Identity Manager
Informations
Name SUN-243386 First vendor Publication 2008-11-11
Vendor Sun Last vendor Modification 2010-01-20
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:N/A:N)
Cvss Base Score 7.8 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Sun Java System Identity Manager 6.0, Sun Java System Identity Manager 7.0, Sun Java System Identity Manager 7.1

Sun Java System Identity Manager is affected by multiple securityvulnerabilities with varying impacts. 

Cross-site Scripting (XSS)vulnerabilities may allow a local or remote unprivileged user theability to execute unauthorized scripting code in a user's browser whenthat user clicks a link to Sun Java System Identity Manager.

A certain vulnerability related to CSRF (Cross-site Request Forgery)may allow a local or remote unprivileged user to gain unauthorizedaccess to the Administrator account.

A further vulnerability may allow a local or remote unprivileged user to gain unauthorized access to certain files on the IDM server's filesystem.

In addition, two furthervulnerabilities may allow a local or remote unprivileged user toredirect the browser to unintended remote sites or to inject framescontaining data from unintended sites.

Sun would like to acknowledge with thanks, Richard Brain, Adrian Pastor and Jan Fry ofProCheckup Ltd. for bringing two of these issues to our attention.

State: Resolved
First released: 11-Nov-2008

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_243386_multiple_security

CWE : Common Weakness Enumeration

% Id Name
25 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
25 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
25 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)
25 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 7

Open Source Vulnerability Database (OSVDB)

Id Description
49769 Sun Java System Identity Manager Unspecified Arbitrary Frame Injection

49768 Sun Java System Identity Manager Unspecified Arbitrary Site Redirection

49767 Sun Java System Identity Manager /idm/includes/helpServer.jsp ext parameter A...

49766 Sun Java System Identity Manager Admin /idm/admin/changeself.jsp Update Passw...

49765 Sun Java System Identity Manager Unspecified XSS

Nessus® Vulnerability Scanner

Date Description
2009-05-06 Name : The remote web server contains an application that allows arbitrary file retr...
File : sun_idm_ext_file_retrieval.nasl - Type : ACT_ATTACK

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2013-02-06 19:08:19
  • Multiple Updates