JSA10589 - 2013-09 Security Bulletin: Pulse Connect Secure (PCS): Multiple cross site scripting issues

Printable View

« Go Back

Information

Product Affected	SA700, SA2500, FIPS SA4000, SA4500, FIPS SA4500, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611

Problem

Multiple cross site scripting issues have been found in the Pulse Connect Secure (PCS) product. The issues are the result of incorrect validation of user input sent to the PCS web server. These issues exist within files that pertains to login pages, as well as a support related page that is only accessible by an authenticated session.

Note: The specific cross site scripting issues contained in this advisory do not affect Pulse Policy Secure (PPS) OS.

Pulse Secure SIRT is not aware of any malicious exploitation of these vulnerabilities.

Solution

The issues are fixed in PCS releases 7.4R3, 7.3R6, 7.2R11, 7.1R15, and all subsequent releases.

Workaround

There are no viable workarounds for these issues. The affected pages are needed for normal operation and cannot be disabled.

Implementation

Related Links

CVE-2013-5649

CVSS Score	4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Risk Assessment	Successful exploit of this vulnerability could allow an attacker to dynamically create arbitrary active content which could be rendered in the user's browser, leading to possible session theft, service disruption, or other information disclosure.

Acknowledgements

Pulse Secure would like to thank Sandro Gauci of EnableSecurity for responsibly reporting one of the issues included in this advisory.

Alert Type

Risk Level	Medium

Attachment 1

Attachment 2

Legacy ID	JSA10589

Related Articles

JSA10589 - 2013-09 Security Bulletin: Pulse Connect Secure (PCS): Multiple cross site scripting issues

Information

Feedback

Was this article helpful?