0 Results Found
            Back To Results
              Advisory

              Carbon Black Persistent Cross-Site Scripting (XSS)

              Dell SecureWorks Security Advisory SWRX-2014-008

              Advisory Information

              • Title: Carbon Black Persistent Cross-Site Scripting (XSS)
              • Advisory ID: SWRX-2014-008
              • Date published: Tuesday, May 6, 2014
              • CVE: CVE-2014-1844
              • CVSS v2 base score: 3.5
              • Date of last update: Tuesday, May 6, 2014
              • Vendors contacted: Carbon Black
              • Release mode: Coordinated
              • Discovered by: Sean Wright, Dell SecureWorks

              Summary

              Carbon Black is an endpoint security solution that provides administrative functionality and other features via a dedicated web application. There is a vulnerability in the product's web interface due to insufficient server-side validation. An attacker can create a user with malicious username content, and this username is persisted to the server. When an administrator views a list of users, the malicious username is loaded and a cross-site script is injected into the page. An attacker could exploit this issue to direct a victim to a malicious website or steal the victim's session information.

              Download the PDF: SWRX-2014-008

              PGP Signature

              Related Content