SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   EMC Watch4net Vendors:   EMC
EMC M&R/Watch4net Bugs Let Remote Users Obtain Passwords and Conduct Cross-Site Scripting Attacks and Let Remote Authenticated Users Upload and Download Arbitrary Files
SecurityTracker Alert ID:  1031567
SecurityTracker URL:  http://securitytracker.com/id/1031567
CVE Reference:   CVE-2015-0513, CVE-2015-0514, CVE-2015-0515, CVE-2015-0516   (Links to External Site)
Date:  Jan 20 2015
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 6.5u1
Description:   Several vulnerabilities were reported in EMC M&R/Watch4net. A remote authenticated user can upload and download arbitrary files. A remote user can conduct cross-site scripting attacks. A remote user can obtain passwords.

The administrative user interface does not properly filter HTML code from user-supplied input before displaying the input [CVE-2015-0513]. A remote user cause arbitrary scripting code to be executed by the target authenticated user's browser. The code will originate from the EMC Watch4net interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Han Sahin of Securify B.V. reported this vulnerability.

A remote user can access and decrypt credentials used for data center discovery [CVE-2015-0514].

Han Sahin of Securify B.V. reported this vulnerability.

A remote authenticated user can exploit a flaw in the web interface to upload arbitrary files to the target file system [CVE-2015-0515].

A remote authenticated user can supply a specially crafted URL via the web interface to download arbitrary files from the target system [CVE-2015-0516].

Impact:   A remote authenticated user can upload arbitrary files to the target system.

A remote authenticated user can download arbitrary files from the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the EMC Watch4net software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can obtain passwords.

Solution:   The vendor has issued a fix (6.5u1).
Vendor URL:  www.emc.com/ (Links to External Site)
Cause:   Access control error, Input validation error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC