BlackBerry Enterprise Service (BES) Management Console 12.x < 12.4.1 Multiple XSS

medium Nessus Plugin ID 91460

Synopsis

The remote host is running an application that is affected by multiple cross-site scripting vulnerabilities.

Description

According to its self-reported version, the BlackBerry Enterprise Service (BES) management console running on the remote host is prior to 12.4.1. It is, therefore, affected by the following vulnerabilities :

- A cross-site scripting vulnerability exists due to improper validation of crafted admin policies. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-1916)

- Multiple unspecified cross-site scripting vulnerabilities exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-1917, CVE-2016-1918, CVE-2016-3126)

Solution

Upgrade to BlackBerry Enterprise Service version 12.4.1 or later.

See Also

http://support.blackberry.com/kb/articleDetail?articleNumber=000038117

http://support.blackberry.com/kb/articleDetail?articleNumber=000038118

http://support.blackberry.com/kb/articleDetail?articleNumber=000038119

Plugin Details

Severity: Medium

ID: 91460

File Name: blackberry_es_12_4_1.nasl

Version: 1.5

Type: combined

Published: 6/3/2016

Updated: 11/19/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2016-3126

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:blackberry:blackberry_enterprise_service

Required KB Items: installed_sw/BlackBerry Enterprise Service

Exploit Ease: No exploit is required

Patch Publication Date: 4/12/2016

Vulnerability Publication Date: 4/12/2016

Reference Information

CVE: CVE-2016-1916, CVE-2016-1917, CVE-2016-1918, CVE-2016-3126