Novell Home

My Favorites

Close

Please to see your favorites.

Cross-Site Scripting vulnerability found on ZCC page

This document (7012502) is provided subject to the disclaimer at the end of this document.

Environment

Novell ZENworks Configuration Management 11.2 ZENworks Control Center - ZCC

Situation

Cross-site Scripting vulnerabilities found as a result of a security scan

Resolution

This is fixed in version 11.2.4 - see TID 7012027 "ZENworks Configuration Management 11.2.4 - update information and list of fixes" which can be found at http://www.novell.com/support/search.do?usemicrosite=true&searchString=7012027

For ZCM 11.2.3a: Workaround - if it is not possible to upgrade to ZCM 11.2.4 at this time, Novell has made a Patch available for testing, as part of a Monthly patch update: it can be obtained at http://download.novell.com/Download?buildid=s5zcEae9xcI~ as "ZCM 11.2.3a Monthly Update 1 - see TID 7012025". This update should only be applied if the symptoms above are being experienced, and are causing problems.

Please report any problems encountered when using this Patch, by using the feedback link on this TID.

The issue is fixed in njwc.jar by checking the onload event for all the tags and ignore those vulnerability issues by not executing the event for all tags.

Cause

Vulnerability issues for the frame tag onload event was not handled properly..in the case of onload event, if user passes any vulnerable data, it will be executed.

Status

Security Alert

Additional Information

Cross-site Scripting vulnerabilities allow malicious scripts to execute in the context of a trusted session with a web site. The SmartAttack alters the inputs to the web application to send benign versions of such malicious scripts, and detects the actual execution or unfiltered reflection of such scripts.

Assigned  CVE-2013-1097

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7012502
  • Creation Date:28-MAY-13
  • Modified Date:16-JAN-14
    • NovellZENworks Configuration Management

Did this document solve your problem? Provide Feedback