Vulners
Lucene search
Watchguard Server Center 11.7.4 Cross Site Scripting
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Exploit for Cross-site Scripting in Astaro Security_Gateway_Software | 30 Apr 201915:15 | – | githubexploit |
 | CVE-2013-5702 | 19 Oct 201310:00 | – | cve |
 | CVE-2013-5702 | 19 Oct 201310:00 | – | cvelist |
 | EUVD-2013-5539 | 7 Oct 202500:30 | – | euvd |
 | CVE-2013-5702 | 19 Oct 201310:36 | – | nvd |
 | Cross site scripting | 19 Oct 201310:36 | – | prion |
 | CVE-2013-5702 | 22 May 202500:34 | – | redhatcve |
 | [CVE-2013-5702] Watchguard Server Center v11.7.4 Multiple Non-Persistent Cross-Site Scripting Vulnerabilities | 28 Oct 201300:00 | – | securityvulns |
| Watchguard Server Center XSS | 28 Oct 201300:00 | – | securityvulns |
`Watchguard Server Center v11.7.4 Multiple Non-Persistent Cross-Site
Scripting Vulnerabilities
RCE Security Advisory
http://www.rcesecurity.com
1. ADVISORY INFORMATION
-----------------------
Product: Watchguard Server Center
Vendor URL: www.watchguard.com
Type: Cross-Site Scripting [CWE-79]
Date found: 2013-09-11
Date published: 2013-10-21
CVSSv2 Score: 3,5 (AV:N/AC:M/Au:S/C:N/I:P/A:N))
CVE: CVE-2013-5702
2. CREDITS
----------
These vulnerabilities were discovered and researched by Julien Ahrens
from RCE Security.
3. VERSIONS AFFECTED
--------------------
Watchguard Server Center v11.7.4 Update #1
and other older versions may be affected too.
4. VULNERABILITY DESCRIPTION
----------------------------
Multiple Non-Persistent Cross-Site Scripting vulnerabilities have been
identified in the Watchguard Server Center v11.7.4 Update #1.
Due to improper input - validation of the following GET parameters, an
attacker could temporarily inject arbitrary code with required
authenticated user interaction into the context of the Watchguard Server
Center / current browser session. Successful exploitation of these
vulnerabilities allows for example cookie theft, session hijacking or
client side context manipulation.
Vulnerable modules and parameters:
+/log/device?sn=random&cluster_id=<XSS>&l_t=tr&name=random
+/log/device?sn=random&cluster_id=random&l_t=tr&name=<XSS>
+/log/log_html_distribution?sn=random&cluster_id=random&name=<XSS>
5. PROOF-OF-CONCEPT (CODE / EXPLOIT)
------------------------------------
https://192.168.0.1:4130/log/device?sn=random&cluster_id=&l_t=tr&name=<script>alert('rcesecurity.com')</script>
6. SOLUTION
-----------
Update to Watchguard Server Center v11.8 which fixes these issues
7. REPORT TIMELINE
------------------
2013-09-05: Discovery of the vulnerability
2013-09-05: MITRE assigns CVE-2013-5702 for this issue
2013-09-11: RCE Security sends vulnerability details to Watchguard via mail
with disclosure date set to 26. September 2013
2013-09-12: Watchguard ACKs all reported flaws, assigns bug ids: #76179 and
#76363 and shows possible mitigation factors
2013-09-26: RCE Security provides a PoC bypassing the mitigation factors and
extends disclosure date to 17. October 2013
2013-09-30: RCE Security asks for status update
2013-10-10: Watchguard releases v11.8 which fixes all reported
vulnerabilities
2013-10-21: Responsible Disclosure
8. REFERENCES
-------------
http://www.rcesecurity.com/2013/10/cve-2013-5702-watchguard-server-center-v11-7-4-multiple-xss-vulnerabilities/
http://watchguardsecuritycenter.com/2013/10/17/xtm-11-8-secfixes/
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Oct 2013 00:00Current
6.7Medium risk
Vulners AI Score6.7
EPSS0.00263