Novell Vibe 3 BETA OnPrem Stored Cross-site Scripting Vulnerability

  • 7007351
  • 09-Dec-2010
  • 27-Apr-2012

Environment

Novell Vibe OnPrem 3

Situation

Vulnerability Details:
Type of vulnerability: Stored Cross-site scripting (XSS)
Who can exploit it: Local and Remote attackers
Risk: High

Vulnerability Description: 
Users can include and store arbitrary client side code such as JavaScript in the Novell Vibe web application. The code then can be executed within an unsuspecting victim's browser.

The vulnerability exists due to the "/gwtTeaming.rpc" code not properly sanitizing user input into the "What Are You Working On?" or Micro Blog entry field. Also, the application fails to encode the output allowing for the
execution of the script.

Impact: Any user who can view another user's Micro Blog entry is vulnerable to this XSS attack. Successful exploitation of this vulnerability could result in session cookie theft, session hijacking, URL redirection, and possible operating system code execution on the targeted victim's host.

Resolution

The vulnerability was addressed/fixed in the final shipping version of Novell Vibe OnPrem 3

Status

Security Alert

Additional Information

Identifiers:
CVE-2010-4322
SERT-VDN-1002

Found and Reported by:
Rob Kraus, Paul Petefish, and Solutionary Engineering Research Team (SERT)