Reset Search
 

 

Article

JSA10459 - Pulse Connect Secure (PCS) meeting_testjava.cgi XSS Vulnerability (ZDI-10-231)

« Go Back

Information

 
Product AffectedThis is a zero day issue which affects all versions of PCS.
Problem
The CGI script /dana-na/meeting/meeting_testjava.cgi is vulnerable to a cross-site scripting (XSS) attack. The script tests the presence of a JVM client by loading an applet. An attacker could exploit this vulnerability to inject arbitrary JavaScript into the page.
Solution
Software updates to PCS have been released to resolve this issue. Releases containing the fix include PCS 6.5R7 (Build 16789), released on 2010-10-05, and 7.0R3 (Build 16899) released on 2010-11-03.

This issue is being tracked as PR 543455.
Workaround
No known workaround exists for this issue.
Implementation
Related Links
CVSS Score5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Risk Assessment
Acknowledgements
This issue was reported to Pulse Secure by Davy Douhine working in cooperation with ZDI. Pulse Secure SIRT would like to thank them for their efforts and responsible disclosure.
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2010-11-983, JSA10459

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255