Cross-site scripting vulnerability found on ZCC page

  • 7012501
  • 28-May-2013
  • 16-Jan-2014

Environment

Novell ZENworks Configuration Management 11.2 ZENworks Control Center - ZCC

Situation

Cross-Site Scripting vulnerability.  This was being shown during a web response, but they are never executed as part of request or response.

Resolution

This is fixed in version 11.2.4 - see KB 7012027 "ZENworks Configuration Management 11.2.4 - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7012027

For ZCM 11.2.3a: Workaround: if it is not possible to upgrade to ZCM 11.2.4 at this time, Novell has made a Patch  available for testing, as part of a Monthly patch update: it can be obtained at https://download.novell.com/Download?buildid=s5zcEae9xcI~ as "ZCM 11.2.3a Monthly Update 1 - see TID 7012025". This update should only be applied if the symptoms above are being experienced, and are causing problems. Please report any problems encountered when using this Patch, by using the feedback link on this TID.

Changes were made in zenworks-core to address this issue.

Cause

For the value <script>alert(13607910.847)</script> to the language is causing the vulnerability as there was no validation in the case of non-valid locale values.

Status

Security Alert

Additional Information

How it is fixed:if any of the non locale values(other than from the drop down list of Login.jsp page ) passed to language parameter those values to be escaped and set the locale value to the default language English.

OWASP 2010 A 2
Assigned CVE-2013-1094