IT SECURITY TESTING & ADVISORY SERVICES

Advisories

CVE-2018-8651 | Microsoft Dynamics NAV Cross Site Scripting Vulnerability

Security Vulnerability

Published:

MITRE CVE-2018-8651

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8651

Description

A cross-site scripting (XSS) vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics NAV server.

The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions within Dynamics NAV Server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that Dynamics NAV Server properly sanitizes web requests.

Acknowledgements

Mayank Kapoor of Lateral Security


Persistent cross-site scripting (XSS) in Splunk Dashboard

AdVisory Summary

Title: Persistent cross-site scripting (XSS) in Splunk Dashboard
Impact: Execution of arbitrary JavaScript
Vendor: Splunk Inc.
Product: Splunk Enterprise
Versions: 6.1.x before 6.1.4, 6.0.x before 6.0.6, 5.0.x before 5.0.10
Date Released: 30/09/2014
Researcher: Adam Bell
Identifiers: SPL-89216, CVE-2014-5466
Timeline: August 6th 2014 : Issue disclosed to vendor
August 15th 2014 : Issue and reproduction confirmed by vendor
September 30th 2014 : Vendor publishes security advisory and patch

 

TECHNICAL DETAIL

Description

A persistent cross-site scripting (XSS) vulnerability allows for malicious content to be stored by and into a web application that is subsequently accessed and executed in the context of a victim user’s web browser.

In the Splunk Web application (part of Splunk Enterprise) the name of searches that are automatically saved, such as those generated when creating reports, are not subject to the same input filtering as those that are manually created by a user. When viewing the information of a saved search that has completed running, the name of the search is displayed and not sufficiently HTML encoded.

To this end, a malicious user can create a report with a name containing malicious, JavaScript content that can be executed by another user if they inspect the saved search associated with this report.

Impact

An attacker who can coerce another user to inspect the injected saved search would have the potential to hijack the attacked users entire Splunk session. In the event that this user is an administrative user, this could have significant consequences for the security of the entire Splunk instance.

Recommendations

Update to Splunk Enterprise version 6.1.4, 6.0.6 or 5.0.10 or greater to resolve this issue.