search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Corporater EPM Suite is vulnerable to cross-site request forgery and cross-site scripting

Vulnerability Note VU#595142

Original Release Date: 2013-08-26 | Last Revised: 2013-09-03


Corporater EPM Suite contains cross-site request forgery (CSRF) (CWE-352) and reflected cross-site scripting (XSS) (CWE-79) vulnerabilities.


CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2013-3583

Corporater EPM Suite contains a cross-site request forgery vulnerability on the saveProperties.html page through a webpage constructed and sent to a previously authenticated user to make an unauthorized change to their password.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2013-3584
Corporater EPM Suite also contains a reflected cross-site scripting vulnerability that can allow an attacker to inject arbitrary HTML content (including script) via the vulnerable query string parameter customerId.

The CVSS score below applies to the CVE-2013-3584 vulnerability.


An attacker can conduct a cross-site scripting or cross-site request forgery attack, which could be used make unauthorized changes to user credentials or inject arbitrary HTML content (including script) into a web page presented to the user. JavaScript can be used to steal authentication cookies or other sensitive information.


We are currently unaware of a practical solution to this problem.

Vendor Information

Affected   Unknown   Unaffected


Notified:  July 03, 2013 Updated:  August 16, 2013



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Temporal 4.0 E:POC/RL:U/RC:UC
Environmental 1 CDP:N/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Tudor Enache of Help AG Middle East for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-3583, CVE-2013-3584
Date Public: 2013-08-26
Date First Published: 2013-08-26
Date Last Updated: 2013-09-03 18:46 UTC
Document Revision: 35

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.