Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25292
HistoryDec 12, 2010 - 12:00 a.m.

Novell Vibe 3 BETA OnPrem Stored Cross-site Scripting Vulnerability

2010-12-1200:00:00
vulners.com
31
JSON

Title: Novell Vibe 3 BETA OnPrem Stored Cross-site Scripting Vulnerability
Risk (CVSS2 Base Score): High (7.0)
Solutionary ID: SERT-VDN-1002
CVE ID: CVE-2010-4322
Solutionary disclosure URL:
http://www.solutionary.com/index/SERT/Vuln-Disclosures/Novell-Vibe-Beta-3-XSS-vulnerability.html
Product: Vibe 3 BETA OnPrem
Application vendor: Novell
Vendor URL: http://www.novell.com/products/vibe-onprem/

Date discovered: 11/10/2010
Discovered by: Rob Kraus, Paul Petefish, and Solutionary Engineering Research Team
(SERT)
Vendor notification date: 12/3/2010
Vendor response date: 12/3/2010
Vendor acknowledgment date: 12/3/2010
Vendor provided fix: Final shipping version of Novell Vibe OnPrem 3
Release coordinated with the vendor: 12/4/2010
Public disclosure date: 12/10/2010

Type of vulnerability: Stored Cross-site Scripting (XSS)
Exploit vectors: Local and Remote

Vulnerability description: Users can include and store arbitrary client side code
such as JavaScript in the Novell Vibe web application. The code then can be
executed within an unsuspecting victim’s browser.
The vulnerability exists due to the “/gwtTeaming.rpc” code not properly sanitizing
user input into the “What Are You Working On?” or Micro Blog entry field. Also, the
application fails to encode the output allowing for the execution of the script.

Tested on: Cent OS 5.5 (kernel 2.6.18-194), MySQL Version 14.12 Distribution
5.0.77, and Novell Vibe 3 BETA OnPrem.
Affected software versions: Vibe 3 BETA OnPrem

Impact: Any user who can view another user’s Micro Blog entry is vulnerable to
this XSS attack. Successful exploitation of this vulnerability could result in
session cookie theft, session hijacking, URL redirection, and possible operating
system code execution on the targeted victim’s host.

Fixed in: Fixed in the final shipping version of Novell Vibe OnPrem 3

Remediation guidelines: Update to the final shipping version of Novell Vibe OnPrem
3

Keywords: security, vulnerability, Novell, vibe, collaboration, xss, stored,
cross-site scripting

Solutionary, Inc. Vulnerability Disclosure Policy
http://www.solutionary.com/index/SERT/Vulnerability-Disclosure-Policy.html

Related

prion 1
cve 1
securityvulns 1
prion
prion
Cross site scripting
2011-01-07 23:00:00
cve
cve
CVE-2010-4322
2011-01-07 23:00:00
securityvulns
securityvulns
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2010-12-12 00:00:00
JSON
Related for SECURITYVULNS:DOC:25292
prion1cve1securityvulns1