search menu icon-carat-right cmu-wordmark

CERT Coordination Center

KnowledgeView Editorial and Management application cross-site scripting vulnerability

Vulnerability Note VU#521348

Original Release Date: 2013-09-23 | Last Revised: 2013-09-23

Overview

KnowledgeView Editorial and Management application contains a reflected cross-site scripting (XSS) vulnerability (CWE-79).

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

KnowledgeView Editorial and Management application contains a reflected cross-site scripting vulnerability that can allow an attacker to inject arbitrary HTML content (including script) via the vulnerable query string parameter username.

Impact

A remote unauthenticated attacker can conduct a cross-site scripting attack, which may be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workaround.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the web interface using stolen credentials from a blocked network location.

Vendor Information

521348
 
Affected   Unknown   Unaffected

Knowledgeview

Notified:  August 21, 2013 Updated:  September 11, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Temporal 4.0 E:POC/RL:U/RC:UC
Environmental 3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Ali Hussein of Help AG Middle East for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-3616
Date Public: 2013-09-23
Date First Published: 2013-09-23
Date Last Updated: 2013-09-23 15:32 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.