{"vuid":"VU#823452","idnumber":"823452","name":"Serena Dimensions CM 12.2 Build 7.199.0 web client vulnerabilities","keywords":["Serena","Dimensions","xss","csrf","cwe-79","cwe-352"],"overview":"Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.","clean_desc":"Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-0335 #Unauthenticated vulnerable parameters\n/dimensions/ [DB_CONN parameter]\n/dimensions/ [DB_NAME parameter]\n/dimensions/ [DM_HOST parameter]\n/dimensions/ [MAN_DB_NAME parameter] #Authenticated vulnerable parameters\n/dimensions/ [framecmd parameter]\n/dimensions/ [identifier parameter]\n/dimensions/ [identifier parameter]\n/dimensions/ [merant.adm.adapters.AdmDialogPropertyMgr parameter]\n/dimensions/ [nav_frame parameter]\n/dimensions/ [nav_jsp parameter]\n/dimensions/ [target_frame parameter]\n/dimensions/ [id parameter]\n/dimensions/ [type parameter] Proof-of-Concept: GET /dimensions/?jsp=login&USER_ID=sa_dmsys&PASSWORD=D%21m3nsions&SYSTEM_DEFINITIONS=0&FORWARD_TARGET=jsp%25253dlogin&MAN_DB_NAME=2f<%2fscript>