Symantec SecurityExpressions Audit and Compliance Server Multiple XSS

This script is Copyright (C) 2009-2012 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains an application that is affected by
multiple cross-site scripting vulnerabilities.

Description :

Symantec SecurityExpressions Audit and Compliance Server is installed
on the remote host. The installed version is affected by multiple
cross-site scripting vulnerabilities.

- The web console fails to sanitize user-supplied input
to certain unspecified parameters. An authorized user may
be able to exploit this issue to inject arbitrary HTML or
script code into a user's browser to be executed
within the security context of the affected site.
(CVE-2009-3029)

- Certain error messages are not properly encoded which
could be exploited by an attacker to inject arbitrary
HTML content into a user's browser session.
(CVE-2009-3030)

See also :

http://www.nessus.org/u?2eb105ca

Solution :

Apply Hot Fix 1 as referenced in article KB49452.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 42083 ()

Bugtraq ID: 36570
36571

CVE ID: CVE-2009-3029
CVE-2009-3030