Reset Search
 

 

Article

JSA10589 - 2013-09 Security Bulletin: Pulse Connect Secure (PCS): Multiple cross site scripting issues

« Go Back

Information

 
Product AffectedSA700, SA2500, FIPS SA4000, SA4500, FIPS SA4500, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611
Problem
Multiple cross site scripting issues have been found in the Pulse Connect Secure (PCS) product. The issues are the result of incorrect validation of user input sent to the PCS web server. These issues exist within files that pertains to login pages, as well as a support related page that is only accessible by an authenticated session.

Note: The specific cross site scripting issues contained in this advisory do not affect Pulse Policy Secure (PPS) OS.

Pulse Secure SIRT is not aware of any malicious exploitation of these vulnerabilities.
Solution
The issues are fixed in PCS releases 7.4R3, 7.3R6, 7.2R11, 7.1R15, and all subsequent releases.

 
Workaround
There are no viable workarounds for these issues. The affected pages are needed for normal operation and cannot be disabled.
Implementation
Related Links
CVSS Score4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Risk AssessmentSuccessful exploit of this vulnerability could allow an attacker to dynamically create arbitrary active content which could be rendered in the user's browser, leading to possible session theft, service disruption, or other information disclosure.
Acknowledgements
Pulse Secure would like to thank Sandro Gauci of EnableSecurity for responsibly reporting one of the issues included in this advisory.
Alert Type 
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDJSA10589

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255