[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RSA EnVision Reflected XSS Hole

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RSA EnVision Reflected XSS Hole
From: "Stelios Tigkas" <stigkas@xxxxxxxxx>
Date: Wed, 12 Sep 2007 10:21:55 +0100

#########################################
Application:           RSA EnVision
Vendor:                http://www.rsa.com
Version:                Version 3.3.6 Build 0115
Bug:                     Cross-Site Scripting
Risk:                     Medium
Date:                     12 Sept 2007
Author:                  Stelios Tigkas
e-mail:                   Stigkas at Gmail dot com
Current Employer:   Fujitsu Services
List:                       BugTraq(SecurityFocus)
#########################################


=======
Product
=======
A Security Event Management Solution.

===
Bug
===

There is a Reflected (Type I) Cross-Site Scripting hole on the
username field, in the logon page of the EnVision application. The
following attack vector has been confirmed by the Vendor to work:
</script><script>alert(document.cookie)</script>.

RSA have been notified on 23.03.2007

Prev by Date: Boinc Forum Cross Site Scripting Vulrnability
Next by Date: S21SEC-036-EN Ekiga <= 2.0.5 Denial of service
Previous by thread: Boinc Forum Cross Site Scripting Vulrnability
Next by thread: S21SEC-036-EN Ekiga <= 2.0.5 Denial of service
Index(es):
- Date
- Thread