Security Vulnerability: DOM based XSS in NetStorage (CVE-2019-3490)

  • 7023828
  • 18-Apr-2019
  • 19-Apr-2019

Environment


NetStorage
Open Enterprise Server 2015 Support Pack 1 (OES 2015 SP1) (OES2015.1)
Open Enterprise Server 2018 (OES 2018)
Open Enterprise Server 2018 Support Pack 1 (OES 2018 SP1) (OES2018.1)

Situation

A DOM based XSS vulnerability has been identified in the Netstorage component of Open Enterprise Server (OES) allowing a remote attacker to execute javascript in the victims browser by tricking the victim into clicking on a specially crafted link.
This affects OES versions OES 2015 SP1, OES 2018, and OES 2018 SP1.

Resolution

A code update that addresses the issue has been released as:
OES2018 SP1 - Update 1 Security 18 or later
OES2018 - Update 7 Security 16 or later
OES2015 SP1 - Update 34 Security 4 or later

Status

Security Alert

Additional Information

CERT VU#811253


Older versions of Open Enterprise Server may be affected but were not tested as they are out of support.
These servers need to be updated to a supported code level before they can benefit of this fix.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.