Reset Search



JSA10462 - Cross-site scripting issue with file browsing upload page

« Go Back


Product AffectedThis is a zero day issue which affects all versions of PCS and PPS.
A cross-site scripting (XSS) vulnerability was identified in the PCS / PPS file browsing upload page during a routine security scan. Specifically, this URL is called when a user attempts to upload a set of files. A malicious URL can be crafted with a bad payload that could allow unauthorized access to system resources.
Vulnerable script elements are now escaped to avoid XSS injection.

Software updates to PCS have been released to resolve this issue. Releases containing the fix include PCS 6.0r14 released on 2010-09-15, 6.4r8 released on 2010-07-27, 6.5r6 released on 2010-08-03, 7.0r2 released on 2010-08-31, and all subsequent releases of PCS software. PPS version 4.0r2, and all subsequent releases of PPS software, also contain the fix.

This issue is being tracked as PR 526124.
Disabling the Roaming Session feature limits the scope of the vulnerability by binding the initial user's IP address to the session cookie.
How to obtain fixed software:

Software release Service Packages are available at from the "Download Software" links.
Related Links
CVSS Score5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Risk Assessment
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2010-12-110, JSA10462



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255