BlackBerry Enterprise Service (BES) Management Console 12.x < 12.4.1 Multiple XSS

Medium Nessus Plugin ID 91460

Synopsis

The remote host is running an application that is affected by multiple cross-site scripting vulnerabilities.

Description

According to its self-reported version, the BlackBerry Enterprise Service (BES) management console running on the remote host is prior to 12.4.1. It is, therefore, affected by the following vulnerabilities :

- A cross-site scripting vulnerability exists due to improper validation of crafted admin policies. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-1916)

- Multiple unspecified cross-site scripting vulnerabilities exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-1917, CVE-2016-1918, CVE-2016-3126)

Solution

Upgrade to BlackBerry Enterprise Service version 12.4.1 or later.

See Also

http://support.blackberry.com/kb/articleDetail?articleNumber=000038117

http://support.blackberry.com/kb/articleDetail?articleNumber=000038118

http://support.blackberry.com/kb/articleDetail?articleNumber=000038119

Plugin Details

Severity: Medium

ID: 91460

File Name: blackberry_es_12_4_1.nasl

Version: $Revision: 1.2 $

Type: combined

Published: 2016/06/03

Modified: 2016/06/06

Dependencies: 20949, 91461

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

CPE: cpe:/a:blackberry:blackberry_enterprise_service

Required KB Items: installed_sw/BlackBerry Enterprise Service

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/04/12

Vulnerability Publication Date: 2016/04/12

Reference Information

CVE: CVE-2016-1916, CVE-2016-1917, CVE-2016-1918, CVE-2016-3126