You are here

V-034: RSA Adaptive Authentication (On-Premise) Input Validation Flaws Permit Cross-Site Scripting Attacks

November 27, 2012 - 2:00am

Addthis

PROBLEM:

RSA Adaptive Authentication (On-Premise) Input Validation Flaws Permit Cross-Site Scripting Attacks

PLATFORM:

RSA Adaptive Authentication  (On-Premise) 6.x

ABSTRACT:

A vulnerability was reported in RSA Adaptive Authentication (On-Premise).

REFERENCE LINKS:

SecurityTracker Alert ID:  1027811
SecurityFocus Security Alert
RSA Customer Support
CVE-2012-4611

IMPACT ASSESSMENT:

Medium

DISCUSSION:

A vulnerability was reported in RSA Adaptive Authentication (On-Premise). A remote user can conduct cross-site scripting attacks. The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the RSA Adaptive Authentication software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

IMPACT:

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the RSA Adaptive Authentication software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user

SOLUTION:

To obtain the latest RSA product downloads, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose download you want to obtain. Scroll to the section for the product download that you want and click on the link.

Addthis