SPIDynamics WebInspect cross-application scripting
| spidynamics-webinspect-xas (21541) |  Medium Risk |
Description:
SPIDynamics WebInspect is vulnerable to cross-application scripting. Data is not properly filtered by the application before it is included in the content rendered in an Internet Explorer COM object. A local attacker could send a specially-crafted URL which, once the link is clicked, would be executed in the victim's Web browser within the security context of the application. An attacker could use this vulnerability to gain the access level of the targeted victim within the vulnerable console.
The vendor states that this vulnerability cannot be reproduced.
Consequences:
Gain Access
Remedy:
Upgrade to the latest version of WebInspect (7 or later), available from the SPIDynamics Web site. See References.
References:
- BugTraq Mailing List, Wed Jul 27 2005 - 13:08:12 CDT: RE: [Full-disclosure] SPIDynamics WebInspect Cross-ApplicationScripting (XAS).
- Full-disclosure Mailing List, Tue Jul 26 2005 - 04:45:29 CDT : SPIDynamics WebInspect Cross-Application Scripting (XAS).
- SPIDynamics Web site: SPIDynamics Home.
- BID-14385: SPI Dynamics WebInspect Cross Application Script Injection Vulnerability
- CVE-2005-2442: Cross-Application Scripting (XAS) vulnerability in SPI Dynamics WebInspect 5.0.196 allows remote attackers to inject Javascript from one application into another.
- SA16191: SPI Dynamics WebInspect Script Insertion Vulnerability
- SECTRACK ID: 1014582: SPI Dynamics WebInspect Reporting Function Lets Remote Sites Execute Scripting Code on the Target System
Platforms Affected:
- SPIDynamics SPIDynamics WebInspect
Reported:
Jul 26, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net