Security Vulnerability: DOM based XSS in NetStorage (CVE-2019-3490)

Document ID:7023828
Creation Date:18-Apr-2019
Modified Date:19-Apr-2019
- Micro Focus Products:
  NetStorage
  Open Enterprise Server

Environment

NetStorage

Open Enterprise Server 2015 Support Pack 1 (OES 2015 SP1) (OES2015.1)

Open Enterprise Server 2018 (OES 2018)

Open Enterprise Server 2018 Support Pack 1 (OES 2018 SP1) (OES2018.1)

Situation

A DOM based XSS vulnerability has been identified in the Netstorage component of Open Enterprise Server (OES) allowing a remote attacker to execute javascript in the victims browser by tricking the victim into clicking on a specially crafted link.

This affects OES versions OES 2015 SP1, OES 2018, and OES 2018 SP1.

Resolution

A code update that addresses the issue has been released as:

OES2018 SP1 - Update 1 Security 18 or later

OES2018 - Update 7 Security 16 or later

OES2015 SP1 - Update 34 Security 4 or later

Status

Security Alert

Additional Information

CVE-2019-3490: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3490

CERT VU#811253

Older versions of Open Enterprise Server may be affected but were not tested as they are out of support.

These servers need to be updated to a supported code level before they can benefit of this fix.