Centra Session Enrollment Profile Multiple Field XSS
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Centra contains a flaw that allows a remote cross site scripting attack. This flaw exists because the 'username', 'first name', and 'last name' fields are not properly sanitised before being used on the Enrollment Profile . This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Discovery of this vulnerability is credited to Clorox <email@example.com>.
Centra Centra 7
Centra 7 is affected by multiple HTML injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.
No exploit is required.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.