Reset Search
 

 

Article

JSA10462 - Cross-site scripting issue with file browsing upload page

« Go Back

Information

 
Product AffectedThis is a zero day issue which affects all versions of PCS and PPS.
Problem
A cross-site scripting (XSS) vulnerability was identified in the PCS / PPS file browsing upload page during a routine security scan. Specifically, this URL is called when a user attempts to upload a set of files. A malicious URL can be crafted with a bad payload that could allow unauthorized access to system resources.
Solution
Vulnerable script elements are now escaped to avoid XSS injection.

Software updates to PCS have been released to resolve this issue. Releases containing the fix include PCS 6.0r14 released on 2010-09-15, 6.4r8 released on 2010-07-27, 6.5r6 released on 2010-08-03, 7.0r2 released on 2010-08-31, and all subsequent releases of PCS software. PPS version 4.0r2, and all subsequent releases of PPS software, also contain the fix.

This issue is being tracked as PR 526124.
 
Workaround
Disabling the Roaming Session feature limits the scope of the vulnerability by binding the initial user's IP address to the session cookie.
Implementation
How to obtain fixed software:

Software release Service Packages are available at https://www.pulsesecure.net/support/software from the "Download Software" links.
Related Links
CVSS Score5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Risk Assessment
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2010-12-110, JSA10462

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255