what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Novell Vibe 3 BETA OnPrem Stored Cross Site Scripting

Novell Vibe 3 BETA OnPrem Stored Cross Site Scripting
Posted Dec 10, 2010
Authored by Rob Kraus, Paul Petefish | Site solutionary.com

Novell Vibe version 3 BETA OnPrem suffers from a stored cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2010-4322
SHA-256 | 38d0853e67710878d23cc032e0905d8715455a8808a2d048463114929f781f0e

Novell Vibe 3 BETA OnPrem Stored Cross Site Scripting

Change Mirror Download
Title: Novell Vibe 3 BETA OnPrem Stored Cross-site Scripting Vulnerability
Risk (CVSS2 Base Score): High (7.0)
Solutionary ID: SERT-VDN-1002
CVE ID: CVE-2010-4322
Solutionary disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/Novell-Vibe-Beta-3-XSS-vulnerability.html
Product: Vibe 3 BETA OnPrem
Application vendor: Novell
Vendor URL: http://www.novell.com/products/vibe-onprem/

Date discovered: 11/10/2010
Discovered by: Rob Kraus, Paul Petefish, and Solutionary Engineering Research Team (SERT)
Vendor notification date: 12/3/2010
Vendor response date: 12/3/2010
Vendor acknowledgment date: 12/3/2010
Vendor provided fix: Final shipping version of Novell Vibe OnPrem 3
Release coordinated with the vendor: 12/4/2010
Public disclosure date: 12/10/2010

Type of vulnerability: Stored Cross-site Scripting (XSS)
Exploit vectors: Local and Remote

Vulnerability description: Users can include and store arbitrary client side code such as JavaScript in the Novell Vibe web application. The code then can be executed within an unsuspecting victim’s browser.
The vulnerability exists due to the “/gwtTeaming.rpc” code not properly sanitizing user input into the “What Are You Working On?” or Micro Blog entry field. Also, the application fails to encode the output allowing for the execution of the script.

Tested on: Cent OS 5.5 (kernel 2.6.18-194), MySQL Version 14.12 Distribution 5.0.77, and Novell Vibe 3 BETA OnPrem.
Affected software versions: Vibe 3 BETA OnPrem

Impact: Any user who can view another user’s Micro Blog entry is vulnerable to this XSS attack. Successful exploitation of this vulnerability could result in session cookie theft, session hijacking, URL redirection, and possible operating system code execution on the targeted victim’s host.

Fixed in: Fixed in the final shipping version of Novell Vibe OnPrem 3

Remediation guidelines: Update to the final shipping version of Novell Vibe OnPrem 3

Keywords: security, vulnerability, Novell, vibe, collaboration, xss, stored, cross-site scripting

Solutionary, Inc. Vulnerability Disclosure Policy
http://www.solutionary.com/index/SERT/Vulnerability-Disclosure-Policy.html
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close