Detections
Analytics
BlackBerry Enterprise Server MDS Connection Service XSS
medium Nessus Plugin ID 38199
Synopsis
The remote Windows application is affected by cross-site scripting vulnerabilities.Description
The remote host is running the BlackBerry Enterprise Server MDS Connection Service. The installed version is affected by cross-site scripting vulnerabilities involving the 'customDate', 'interval', 'lastCustomInterval', 'lastIntervalLength', 'nextCustomInterval', 'nextIntervalLength', 'action', 'delIntervalIndex', 'addStatIndex', 'delStatIndex', and 'referenceTime' parameters of the 'admin/statistics/ConfigureStatistics' script. An attacker can leverage these in order to execute arbitrary script code or steal cookie-based authentication credentials.Solution
Upgrade to BlackBerry Enterprise Server 4.1.6 MR5 or later.See Also
http://www.nessus.org/u?542ac24d
https://www.securityfocus.com/archive/1/502746/30/0/threaded
Plugin Details
Severity: Medium
ID: 38199
File Name: blackberry_es_connection_service_xss.nasl
Version: 1.19
Type: local
Family: CGI abuses : XSS
Published: 4/28/2009
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.8
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
Vulnerability Information
CPE: cpe:/a:rim:blackberry_enterprise_server
Exploit Ease: No exploit is required
Exploited by Nessus: true
Reference Information
CVE: CVE-2009-0307
BID: 34573