Advisory Information
- Title: Carbon Black Persistent Cross-Site Scripting (XSS)
- Advisory ID: SWRX-2014-008
- Date published: Tuesday, May 6, 2014
- CVE: CVE-2014-1844
- CVSS v2 base score: 3.5
- Date of last update: Tuesday, May 6, 2014
- Vendors contacted: Carbon Black
- Release mode: Coordinated
- Discovered by: Sean Wright, Dell SecureWorks
Summary
Carbon Black is an endpoint security solution that provides administrative functionality and other features via a dedicated web application. There is a vulnerability in the product's web interface due to insufficient server-side validation. An attacker can create a user with malicious username content, and this username is persisted to the server. When an administrator views a list of users, the malicious username is loaded and a cross-site script is injected into the page. An attacker could exploit this issue to direct a victim to a malicious website or steal the victim's session information.
Download the PDF: SWRX-2014-008