Reset Search
 

 

Article

JSA10602 - 2013-12 Security Bulletin: Pulse Connect Secure (PCS): Cross site scripting issue (CVE-2013-6956)

« Go Back

Information

 
Product AffectedThis issue can affect all: SA700, SA2000, SA2500, SA4000, FIPS SA4000, SA4500, FIPS SA4500, SA6000, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611
Problem
A cross site scripting issue has been found in Pulse Connect Secure (PCS). The problem is a result of incorrect user input validation on the PCS web server. The issue exists within a file that pertains to the PCS web rewriting feature pages that are only accessible by an authenticated session. This issue is only present when web rewrite is enabled on a user's role.

Pulse Secure SIRT is not aware of any malicious exploitation of these vulnerabilities.

No other Pulse Secure products or platforms are affected by this issue.

This issue has been assigned CVE-2013-6956.
Solution
The issue is fixed in PCS releases: 8.0R1, 7.4R6, 7.3R8, and 7.1R17, and all subsequent releases.

 
Workaround
 This issue can be avoided if the PCS web rewriting feature is disabled. If this feature is required, an upgrade to a fixed version will resolve this issue.
Implementation
Related Links
CVSS Score4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Risk AssessmentSuccessful exploit of this vulnerability could allow an attacker to dynamically create arbitrary active content which could be rendered in the user's browser, leading to possible session

Information for how Pulse Secure uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Pulse Secure's Security Advisories."
Acknowledgements
Pulse Secure would like to thank Roberto Suggi Liverani of NCIA/NCIRC for responsibly bringing this issue to our attention.
Alert Type 
Risk LevelLow
Attachment 1 
Attachment 2 
Legacy IDJSA10602

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255