{"vuid":"VU#727318","idnumber":"727318","name":"DELL SonicWALL GMS/Analyzer/UMA contains a cross-site scripting (XSS) vulnerability","keywords":["dell","sonicwall","gms","analyzer","uma","xss","cross-site scripting","cwe-79"],"overview":"DELL SonicWALL GMS/Analyzer/UMA version 7.1, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79)","clean_desc":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') DELL SonicWALL GMS/Analyzer/UMA version 7.1 contains a cross-site scripting vulnerability. The \"node_id\" parameter on the page \"/sgms/mainPage?page=genNetwork&screenid=1002&manager=ScreenDisplayManager&level=1&node_id\" is vulnerable. Proof-of-Concept: hxxps://{SONICWALL}/sgms/mainPage?page=genNetwork&screenid=1002&manager=ScreenDisplayManager&level=1&node_id=aaaaa\"><script>alert(document.cookie);</script>&screenid=1002&unused=&help_url=&node_name=Instance View&unitType=1&searchBySonicwall=0","impact":"A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.","resolution":"Apply an Update Dell SonicWall has released version 7.1 SP2 or 7.2 to address this vulnerability. If you are unable to upgrade, please consider the following workaround.","workarounds":"Restrict access As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the interface using stolen credentials from a blocked network location.","sysaffected":"","thanks":"Thanks to William Costa for reporting this vulnerability.","author":"This document was written by Jared Allar.","public":["http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_XSS_Resolved_in_7.1_SP2_and_7.2.pdf","http://cwe.mitre.org/data/definitions/79.html","https://support.software.dell.com/product-notification/128245"],"cveids":["CVE-2014-0332"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-11-19T18:32:53Z","publicdate":"2014-02-11T00:00:00Z","datefirstpublished":"2014-02-11T21:39:52Z","dateupdated":"2015-09-17T20:22:43Z","revision":13,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"ND","cvss_reportconfidence":"UC","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"4.3","cvss_basevector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","cvss_temporalscore":"3.3","cvss_environmentalscore":"0.8216344647","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}