JSA10428 - 2010-03 Security Bulletin: Pulse Connect Secure (PCS)- Cross site scripting issue on end user edit bookmarks page

Cross site scripting issue on the end user edit bookmarks page.

This issue was found during external proactive security testing.

This vulnerability only affects users that are authenticated.

The following PCS software releases have a fix for this issue:PCS: 6.3R7; 6.4R5; 6.5R2, or higher. We recommend upgrading your IVE software to resolve this security vulnerability.

6.0 (EOL - end of life) PCS software will also have a release that will fix this issue. The 6.0 fix will come in a release that is planned for completion by the end of May 2010. Please visit the PCS software download page at that time to download the fixed 6.0 IVE software release.


 

Possible workaround: To remove this vulnerability, PCS Administrators will need to disable their users ability to add bookmarks. This can be accomplished via the Central Manager: Users --> User Roles --> (Role name) --> Web --> Options, Uncheck "Users can add bookmarks." User created bookmarks will no longer be displayed once this option is disabled. Your users will also not be able to add or edit bookmarks. If users would like to navigate to pages via the PCS that are not found in their Administrator configured bookmarks, they will need to manually type in the URLs into the PCS browse bar.

To download the latest software, please visit: http://my.pulsesecure.net

Pulse Secure would like to acknowledge Logica Nederland BV for reporting this issue.