Vulnerability Note VU#802596
Pattern Insight 2.3 contains multiple vulnerabilities
The Pattern Insight web interface contains multiple vulnerabilities.
CWE-352: Cross-Site Request Forgery (CSRF) CVE-2012-4935: Pattern Insight: CSRF protections do not exist
When an already authorized victim navigates to a malicious site containing a hidden form request, it is possible for the malicious site to make authenticated requests to Pattern Insight on behalf of the victim.
1. Attacker obtains a "valid" session key.
2. Attacker sets victim's jsession_id session cookie with the "valid" session key in step 1
3. The attacker now knows the session id of a valid session
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-4938: Pattern Insight: HTML Injection In Banner Message
An admin can edit the banner message seen by all users. HTML is allowed in this message. A possible solution is anti-samy for whitelisting where HTML is still needed (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project).
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-4950 Pattern Insight: HTML Injection In Keyword Search page
The error messages on the Keyword Search page do not properly escape characters after encountering a character that the backend cannot parse. This results in a reflective XSS if an attacker sends a victim a properly crafted URL and the victim visits the application using that link.
An attacker with access to the Pattern Insight web interface can conduct a cross-site scripting, cross-site request forgery, or privilege escalation attack, which could be used to result in information leakage, privilege escalation, and/or denial of service. Also, with the ability to frame the application, an attacker can perform clickjacking attacks.
We are currently unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Pattern Insight||Affected||07 Sep 2012||24 Oct 2012|
CVSS Metrics (Learn More)
Thanks to the reporter who wishes to remain anonymous.
This document was written by Michael Orlando.
- CVE IDs: CVE-2012-4935 CVE-2012-4936 CVE-2012-4937 CVE-2012-4938 CVE-2012-4950
- Date Public: 02 Nov 2012
- Date First Published: 02 Nov 2012
- Date Last Updated: 08 Nov 2012
- Document Revision: 15
If you have feedback, comments, or additional information about this vulnerability, please send us email.