BlackBerry Enterprise Service (BES) Management Console 12.x < 12.4.1 Multiple XSS

Medium Nessus Plugin ID 91460

Synopsis

The remote host is running an application that is affected by multiple cross-site scripting vulnerabilities.

Description

According to its self-reported version, the BlackBerry Enterprise Service (BES) management console running on the remote host is prior to 12.4.1. It is, therefore, affected by the following vulnerabilities :

- A cross-site scripting vulnerability exists due to improper validation of crafted admin policies. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-1916)

- Multiple unspecified cross-site scripting vulnerabilities exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-1917, CVE-2016-1918, CVE-2016-3126)

Solution

Upgrade to BlackBerry Enterprise Service version 12.4.1 or later.

See Also

http://support.blackberry.com/kb/articleDetail?articleNumber=000038117

http://support.blackberry.com/kb/articleDetail?articleNumber=000038118

http://support.blackberry.com/kb/articleDetail?articleNumber=000038119

Plugin Details

Severity: Medium

ID: 91460

File Name: blackberry_es_12_4_1.nasl

Version: 1.3

Type: combined

Published: 2016/06/03

Modified: 2018/06/27

Dependencies: 91461, 20949

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:blackberry:blackberry_enterprise_service

Required KB Items: installed_sw/BlackBerry Enterprise Service

Exploit Available: false

Exploit Ease: No exploit is required

Patch Publication Date: 2016/04/12

Vulnerability Publication Date: 2016/04/12

Reference Information

CVE: CVE-2016-1916, CVE-2016-1917, CVE-2016-1918, CVE-2016-3126