Environment
Novell ZENworks Configuration Management 11.2 ZENworks Control Center - ZCC
Situation
Cross-site Scripting vulnerabilities found as a result of a security scan
Resolution
This is fixed in version 11.2.4 - see KB 7012027 "ZENworks
Configuration Management 11.2.4 - update information and list of fixes"
which can be found at https://support.microfocus.com/kb/doc.php?id=7012027
For ZCM 11.2.3a: Workaround - if it is not possible to upgrade to ZCM 11.2.4 at this time, Novell has made a Patch available for testing, as part of a Monthly patch update: it can be obtained at https://download.novell.com/Download?buildid=s5zcEae9xcI~ as "ZCM 11.2.3a Monthly Update 1 - see TID 7012025". This update should only be applied if the symptoms above are being experienced, and are causing problems.
Please report any problems encountered when using this Patch, by using the feedback link on this TID.
The issue is fixed in njwc.jar by checking the onload event for all the tags and ignore those vulnerability issues by not executing the event for all tags.
For ZCM 11.2.3a: Workaround - if it is not possible to upgrade to ZCM 11.2.4 at this time, Novell has made a Patch available for testing, as part of a Monthly patch update: it can be obtained at https://download.novell.com/Download?buildid=s5zcEae9xcI~ as "ZCM 11.2.3a Monthly Update 1 - see TID 7012025". This update should only be applied if the symptoms above are being experienced, and are causing problems.
Please report any problems encountered when using this Patch, by using the feedback link on this TID.
The issue is fixed in njwc.jar by checking the onload event for all the tags and ignore those vulnerability issues by not executing the event for all tags.
Cause
Vulnerability issues for the frame tag onload event was not handled
properly..in the case of onload event, if user passes any vulnerable data, it will
be executed.
Status
Security AlertAdditional Information
Cross-site Scripting vulnerabilities allow malicious scripts to execute in the
context of a trusted session with a web site. The
SmartAttack alters the inputs to the web application to send benign versions of
such malicious scripts, and detects the actual
execution or unfiltered reflection of such scripts.
Assigned CVE-2013-1097