Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title ForeScout CounterACT reflected XSS vulnerability
Informations
Name VU#815532 First vendor Publication 2012-06-08
Vendor VU-CERT Last vendor Modification 2012-06-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#815532

ForeScout CounterACT reflected XSS vulnerability

Original Release date: 08 Jun 2012 | Last revised: 08 Jun 2012

Overview

The ForeScout CounterACT appliance contains reflected cross-site scripting (XSS) vulnerabilities.

Description

The web interface of the ForeScout CounterACT appliance contains reflected XSS vulnerabilities (CWE-79). The following are a couple examples:

hxxp://xxx.xxx.xxx.xxx/status?username=test"><script>alert(1);</script>
hxxp://xxx.xxx.xxx.xxx/status?action=4362907358160917120&forgotpass=true&loginname=test<script>alert(1);</script>

Additional details may be found in ForeScout Security Advisory 12-01. (Login Required)

Impact

A remote attacker may, by luring a user into clicking a malicious URL, be able to disclose sensitive information, steal user cookies, or escalate privileges.

Solution

Apply an Update

  • CounterACT 6.3.3.2 install Hotfix 4.12050
  • CounterACT 6.3.4.0 install Hotfix 10.0
  • CounterACT 6.3.4.1 install Hotfix 6.0
  • CounterACT 6.3.4.10 install Hotfix 1.0

Customers may obtain these patches automatically via the "Check For Updates" function or by logging into the ForeScout Customer Support Portal. (Login Required)

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
ForeScoutAffected02 May 201207 Jun 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.4AV:N/AC:L/Au:N/C:P/I:P/A:N
Temporal5.0E:POC/RL:OF/RC:C
Environmental5.0CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • http://updates.forescout.com/support
  • http://cwe.mitre.org/data/definitions/79.html

Credit

Thanks to Travis Lee for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs:CVE-2012-1825
  • Date Public:07 Jun 2012
  • Date First Published:08 Jun 2012
  • Date Last Updated:08 Jun 2012
  • Document Revision:20

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Original Source

Url : http://www.kb.cert.org/vuls/id/815532

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2