Reset Search
 

 
Article

JSA10496 - 2011-12 Security Bulletin: Pulse Connect Secure (PCS): Cross Site Scripting Issue

Printable View
« Go Back

Information

 
Product AffectedSA 500, SA 700, SA 2000, SA 2500, SA 4000, SA 4500, SA 6000, SA 6500, SA 4000 FIPS, SA 6000 FIPS, SA 4500 FIPS, SA 6500 FIPS, MAG2600, MAG4610, MAG-SM160, MAG-SM360
Problem
A cross site scripting issue has been found during proactive security testing in the Pulse Connect Secure (PCS) product. The cause of this issue is due to incorrect validation of user input sent to the PCS web server. This issue exists on a file that pertains to the JSAM (Java Secure Access Manager) feature, which is only accessible by an authenticated user. Whether the JSAM feature is enabled or not, the page can still be accessed by an authenticated user.
Solution
The following PCS software releases have a fix for this issue: PCS: 7.0R8, 7.1R5 or higher. We recommend upgrading your PCS software to resolve this security vulnerability.

There are no workarounds for this issue. The only way to mitigate the issue is to upgrade to a release of PCS software that contains the fix.
Workaround
Implementation
Related Links
Patched Software Release Service Packages are available at Pulse Secure Licensing and Download Center: https://my.pulsesecure.net. Documentation links to the relevant software’s are also available at Pulse Secure Licensing and Download Center.
CVSS Score5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Risk AssessmentA successful cross site scripting exploit would allow an attacker to dynamically generate web content to their liking which could be rendered in the user's browser. This could allow possible session theft, or other possible information disclosure.
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2011-12-443, JSA10496

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255