Reset Search
 

 

Article

JSA10428 - 2010-03 Security Bulletin: Pulse Connect Secure (PCS)- Cross site scripting issue on end user edit bookmarks page

« Go Back

Information

 
Product AffectedPCS: SA 500, SA 700, SA 1000, SA 2000,
SA 2500, SA 3000, SA 4000, SA 4500, SA 5000, SA 6000, SA
6500, SA 3000 FIPS, SA 5000 FIPS, SA 4000 FIPS, SA 6000 FIPS, SA 4500 FIPS, SA 6500 FIPS
Problem

Cross site scripting issue on the end user edit bookmarks page.

This issue was found during external proactive security testing.

This vulnerability only affects users that are authenticated.
Solution

The following PCS software releases have a fix for this issue:PCS: 6.3R7; 6.4R5; 6.5R2, or higher. We recommend upgrading your IVE software to resolve this security vulnerability.

6.0 (EOL - end of life) PCS software will also have a release that will fix this issue. The 6.0 fix will come in a release that is planned for completion by the end of May 2010. Please visit the PCS software download page at that time to download the fixed 6.0 IVE software release.


 
Workaround
Possible workaround: To remove this vulnerability, PCS Administrators will need to disable their users ability to add bookmarks. This can be accomplished via the Central Manager: Users --> User Roles --> (Role name) --> Web --> Options, Uncheck "Users can add bookmarks." User created bookmarks will no longer be displayed once this option is disabled. Your users will also not be able to add or edit bookmarks. If users would like to navigate to pages via the PCS that are not found in their Administrator configured bookmarks, they will need to manually type in the URLs into the PCS browse bar.
Implementation
Related Links
To download the latest software, please visit: http://my.pulsesecure.net
CVSS Score7.0 (AV:N/AC:M/Au:S/C:C/I:P/A:N/E:F/RL:U/RC:C)
Risk AssessmentYou can gain unauthorized access to protected resources.
Acknowledgements
Pulse Secure would like to acknowledge Logica Nederland BV for reporting this issue.
Alert TypePSN - Product Support Notification
Risk LevelHigh
Attachment 1 
Attachment 2 
Legacy IDPSN-2010-02-660, JSA10428

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255