CVE-2018-11074 – DSA-2018-152: RSA® Authentication Manager Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-11074
RSA Authentication Manager versions prior to 8.3 P3 are affected by a DOM-based cross-site scripting vulnerability which exists in its embedded MadCap Flare Help files. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to the browser DOM, which code is then executed by the web browser in the context of the vulnerable web application. RSA Authentication Manager en versiones anteriores a la 8.3 P3 se ha visto afectado por una vulnerabilidad Cross-Site Scripting (XSS) basado en DOM que existe en sus archivos MadCap Flare Help embebidos. Un atacante remoto no autenticado podría explotar esta vulnerabilidad engañando a un usuario de una aplicación víctima para que proporcione código HTML o JavaScript malicioso al DOM del navegador, cuyo código es ejecutado por el navegador web en el contexto de la aplicación web vulnerable. • http://www.securityfocus.com/bid/105410 http://www.securitytracker.com/id/1041697 https://seclists.org/fulldisclosure/2018/Sep/39 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-11075 – DSA-2018-152: RSA® Authentication Manager Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-11075
RSA Authentication Manager versions prior to 8.3 P3 contain a reflected cross-site scripting vulnerability in a Security Console page. A remote, unauthenticated malicious user, with the knowledge of a target user's anti-CSRF token, could potentially exploit this vulnerability by tricking a victim Security Console user to supply malicious HTML or JavaScript code to the vulnerable web application, which code is then executed by the victim's web browser in the context of the vulnerable web application. RSA Authentication Manager en versiones anteriores a la 8.3 P3 contiene una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en una página Security Console. Un usuario remoto no autenticado malicioso podría, conociendo el token anti-CSRF de un usuario objetivo, explotar esta vulnerabilidad engañando a un usuario de Security Console víctima para que proporcione código HTML o JavaScript malicioso a la aplicación web vulnerable, cuyo código es ejecutado por el navegador web en el contexto de la aplicación web vulnerable. • http://www.securityfocus.com/bid/105410 http://www.securitytracker.com/id/1041697 https://seclists.org/fulldisclosure/2018/Sep/39 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1253 – Stored cross-site scripting vulnerability
https://notcve.org/view.php?id=CVE-2018-1253
RSA Authentication Manager Operation Console, versions 8.3 P1 and earlier, contains a stored cross-site scripting vulnerability. A malicious Operations Console administrator could potentially exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other Operations Console administrators open the affected page, the injected scripts could potentially be executed in their browser. RSA Authentication Manager Operation Console, en versiones 8.3 P1 y anteriores, contiene una vulnerabilidad de Cross-Site Scripting (XSS) persistente. Un administrador de Operations Console podría explotar esta vulnerabilidad para almacenar código HTML o JavaScript arbitrario mediante la interfaz web. • http://seclists.org/fulldisclosure/2018/Jun/39 http://www.securityfocus.com/bid/104534 http://www.securitytracker.com/id/1041134 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1254
https://notcve.org/view.php?id=CVE-2018-1254
RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. RSA Authentication Manager Security Console en versiones 8.3 P1 y anteriores contiene una vulnerabilidad Cross-Site Scripting (XSS) reflejado. Un atacante remoto no autenticado podría explotar esta vulnerabilidad engañando a un administrador Security Console víctima para que proporcione código HTML o JavaScript malicioso a una aplicación web vulnerable, que se devuelve a la víctima y es ejecutado por el navegador web. • http://seclists.org/fulldisclosure/2018/Jun/39 http://www.securityfocus.com/bid/104534 http://www.securitytracker.com/id/1041134 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-15546
https://notcve.org/view.php?id=CVE-2017-15546
The Security Console in EMC RSA Authentication Manager 8.2 SP1 P6 and earlier is affected by a blind SQL injection vulnerability. Authenticated malicious users could potentially exploit this vulnerability to read any unencrypted data from the database. Security Console en EMC RSA Authentication Manager 8.2 SP1 P6 y anteriores está afectado por una vulnerabilidad de inyección SQL ciega. Usuarios autenticados maliciosos podrían explotar esta vulnerabilidad para leer cualquier dato sin cifrar de la base de datos. • http://seclists.org/fulldisclosure/2018/Jan/81 http://www.securityfocus.com/bid/102838 http://www.securitytracker.com/id/1040268 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •