search menu icon-carat-right cmu-wordmark

CERT Coordination Center


NetScreen Instant Virtual Extranet (IVE) platform contains cross-site scripting vulnerability in delhomepage.cgi

Vulnerability Note VU#114070

Original Release Date: 2004-03-09 | Last Revised: 2004-03-09

Overview

NetScreen Instant Virtual Extranet (IVE) platform contains a cross-site scripting vulnerability in the row parameter of delhomepage.cgi, which could allow an attacker to mount a cross-site scripting attack.

Description

The Instant Virtual Extranet platform is an application security gateway that includes a built-in web server. The delhomepage.cgi script does not adequately validate the value of the row parameter. It is possible to use a cross-site scripting technique to inject malicious script (JavaScript, VBScript, etc.) or HTML into a web page using a specially crafted row parameter.

According to NetScreen:
The scope of the problem is limited because only authenticated users can access the affected URL.

Impact

A remote attacker could access sensitive information related to the vulnerable web page (cookies, form values, URI data). The attacker could also attempt to mislead the user into providing sensitive information such as login credentials.

Solution

Apply Patch

NetScreen has provided a patch to address this vulnerability. For details on obtaining the patch corresponding to your currently installed release, please refer to the NetScreen Advisory.

Vendor Information

114070
Expand all

NetScreen

Updated:  March 09, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please refer to the NetScreen Advisory.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was reported by Mark Lachniet.

This document was written by Damon Morda.

Other Information

CVE IDs: None
Severity Metric: 1.03
Date Public: 2004-03-02
Date First Published: 2004-03-09
Date Last Updated: 2004-03-09 21:24 UTC
Document Revision: 11

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.