Reset Search
 

 

Article

JSA10502 - 2012-03 Security Bulletin: Pulse Connect Secure (PCS): Cross Site Scripting Issue

« Go Back

Information

 
Product AffectedSA 700, SA 2000, SA 2500, SA 4000, SA 4500, SA 6000, SA 6500, SA 4000 FIPS, SA 6000 FIPS, SA 4500 FIPS, SA 6500 FIPS, MAG2600, MAG4610, MAG-SM160, MAG-SM360
Problem
A cross site scripting issue has been found in the Pulse Connect Secure device. The cause of this issue is due to incorrect validation of user input sent to the web server. This issue exists within a file that pertains to the Network Connect (NC) / Pulse Secure client feature, which is only accessible by an authenticated user.

This issue was found during proactive security testing of the PCS device.

Solution
The following software releases have a fix for this issue: PCS 7.0R9, 7.1R6 or higher.

Pulse Secure recommends upgrading your PCS software to resolve this security vulnerability.
Workaround

Disabling VPN Tunneling at the role level will remove the issue. This would only be recommended if your users are not using Network Connect / Pulse Secure client to access the PCS device.

Implementation
Software release Service Packages are available at https://www.pulsesecure.net/support/software.
Related Links
CVSS Score5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Risk AssessmentA successful cross site scripting exploit would allow an attacker to dynamically generate web content to their liking which could be rendered in the user's browser. This could allow possible session theft or other possible information disclosure.
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2012-02-513, JSA10502

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255