This script is Copyright (C) 2016 Tenable Network Security, Inc.
The remote Windows host has an application installed that is affected
by multiple vulnerabilities.
According to its version, the BlackBerry Enterprise Service (BES)
install on the remote host is older than 12.4, it is, therefore,
affected by the following vulnerabilities:
- A SQL injection vulnerability exists due to improper
sanitization of user-supplied input to the 'ImageName'
parameter in the com.rim.mdm.ui.server.ImageServlet
servlet. A remote attacker can exploit this, by
convincing a user to click a specially crafted link, to
inject or manipulate SQL queries to the back-end
database, resulting in the manipulation or disclosure or
arbitrary data. (CVE-2016-1914)
- Multiple cross-site scripting vulnerabilities exist due
to improper sanitization of user-supplied input to the
'locale' parameter in the index.jsp and loggedOut.jsp
scripts. A remote attacker can exploit this, via a
specially crafted request, to execute arbitrary script
code in a user's browser session. (CVE-2016-1915)
See also :
Update to BlackBerry Enterprise Service version 12.4 or later.
Risk factor :
Medium / CVSS Base Score : 6.0
CVSS Temporal Score : 5.0
Public Exploit Available : true