Environment
Novell ZENworks Configuration Management 11.2 ZENworks Control Center - ZCC
Situation
Cross-site scripting vulnerability found in ZCC. This is a reflected XSS vulnerability, detected in an alert that was an
immediate response to the injection.
Resolution
This is fixed in version 11.2.4 - see KB 7012027 "ZENworks
Configuration Management 11.2.4 - update information and list of fixes"
which can be found at https://support.microfocus.com/kb/doc.php?id=7012027
For ZCM 11.2.3a: Workaround - if it is not possible to upgrade to ZCM 11.2.4 at this time, Novell has made a Patch available for testing, as part of a Monthly patch update: it can be obtained at https://download.novell.com/Download?buildid=s5zcEae9xcI~ as "ZCM 11.2.3a Monthly Update 1 - see TID 7012025". This update should only be applied if the symptoms above are being experienced, and are causing problems.
Please report any problems encountered when using this Patch, by using the feedback link on this TID.
Also Fixed in 11.2.4 https://download.novell.com/Download?buildid=ZCUFlvDkC9w~
Change to njwc.jar was made. When the vulnerability uses as part of the onError, it will be ignored.
For ZCM 11.2.3a: Workaround - if it is not possible to upgrade to ZCM 11.2.4 at this time, Novell has made a Patch available for testing, as part of a Monthly patch update: it can be obtained at https://download.novell.com/Download?buildid=s5zcEae9xcI~ as "ZCM 11.2.3a Monthly Update 1 - see TID 7012025". This update should only be applied if the symptoms above are being experienced, and are causing problems.
Please report any problems encountered when using this Patch, by using the feedback link on this TID.
Also Fixed in 11.2.4 https://download.novell.com/Download?buildid=ZCUFlvDkC9w~
Change to njwc.jar was made. When the vulnerability uses as part of the onError, it will be ignored.
Cause
Root cause: In case of onError event , the vulnerability scenarios were not
handled.
Status
Security AlertAdditional Information
Assigned CVE-2013-1095
OWASP 2010 A 2
OWASP 2010 A 2