0 Results Found
              Back To Results
                Advisories

                Carbon Black Persistent Cross-Site Scripting (XSS)

                Dell SecureWorks Security Advisory SWRX-2014-008

                Advisory Information

                • Title: Carbon Black Persistent Cross-Site Scripting (XSS)
                • Advisory ID: SWRX-2014-008
                • Date published: Tuesday, May 6, 2014
                • CVE: CVE-2014-1844
                • CVSS v2 base score: 3.5
                • Date of last update: Tuesday, May 6, 2014
                • Vendors contacted: Carbon Black
                • Release mode: Coordinated
                • Discovered by: Sean Wright, Dell SecureWorks

                Summary

                Carbon Black is an endpoint security solution that provides administrative functionality and other features via a dedicated web application. There is a vulnerability in the product's web interface due to insufficient server-side validation. An attacker can create a user with malicious username content, and this username is persisted to the server. When an administrator views a list of users, the malicious username is loaded and a cross-site script is injected into the page. An attacker could exploit this issue to direct a victim to a malicious website or steal the victim's session information.

                Download the PDF: SWRX-2014-008

                PGP Signature

                Related Content