|发布时间 :2016-09-17 22:59:03|
|修订时间 :2016-11-28 14:56:04|
[原文]EMC ViPR SRM before 3.7.2 does not restrict the number of password-authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force guessing attack.
- CVSS (基础分值)
- CWE (弱点类目)
- CPE (受影响的平台与产品)
- OVAL (用于检测的技术细节)
(VENDOR_ADVISORY) BUGTRAQ 20160913 ESA-2016-104: EMC ViPR SRM Multiple Vulnerabilities
(UNKNOWN) BID 92945
- 漏洞信息 (F138711)
|EMC ViPR SRM XSS / CSRF / File Upload / Brute Force (PacketStormID:F138711)|
EMC ViPR SRM versions prior to 3.7.2 suffer from cross site request forgery, cross site scripting, brute force, and remote file upload vulnerabilities.
|EMC ViPR SRM Multiple Security Vulnerabilities|
|Input Validation Error||92945|
|2016-09-14 12:00:00||2016-09-14 12:00:00|
|Eric Flokstra of Outpost24 and Han Sahin of Securify B.V.|
|EMC ViPR SRM 3.7.1
EMC ViPR SRM 3.7
EMC ViPR SRM 3.6.3
EMC ViPR SRM 3.7
EMC ViPR SRM 3.6.4
EMC ViPR SRM 3.6.2
EMC ViPR SRM 3.6.1
EMC ViPR SRM 3.6.0
,EMC ViPR SRM 3.7.2
|EMC ViPR SRM 3.7.2
|EMC ViPR SRM is prone to the following security vulnerabilities:
1. An arbitrary file upload vulnerability
2. A cross-site scripting vulnerability
3. An HTML injection vulnerability
4. An authentication-bypass vulnerability
Exploiting these issues could allow an attacker to upload arbitrary files, run malicious HTML and script codes, steal cookie-based authentication credentials, bypass the authentication mechanism and perform unauthorized actions.
Versions prior to EMC ViPR SRM 3.7.2 are vulnerable.
An attacker can exploit these issues through a browser or readily available tools. An attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issues.
|Updates are available. Please see the references or vendor advisory for more information.