CVE-2018-8651 | Microsoft Dynamics NAV Cross Site Scripting Vulnerability
A cross-site scripting (XSS) vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics NAV server.
The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions within Dynamics NAV Server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.
The security update addresses the vulnerability by helping to ensure that Dynamics NAV Server properly sanitizes web requests.
Mayank Kapoor of Lateral Security
Persistent cross-site scripting (XSS) in Splunk Dashboard
|Title:||Persistent cross-site scripting (XSS) in Splunk Dashboard|
|Versions:||6.1.x before 6.1.4, 6.0.x before 6.0.6, 5.0.x before 5.0.10|
|Timeline:||August 6th 2014 : Issue disclosed to vendor
August 15th 2014 : Issue and reproduction confirmed by vendor
September 30th 2014 : Vendor publishes security advisory and patch
A persistent cross-site scripting (XSS) vulnerability allows for malicious content to be stored by and into a web application that is subsequently accessed and executed in the context of a victim user’s web browser.
In the Splunk Web application (part of Splunk Enterprise) the name of searches that are automatically saved, such as those generated when creating reports, are not subject to the same input filtering as those that are manually created by a user. When viewing the information of a saved search that has completed running, the name of the search is displayed and not sufficiently HTML encoded.
An attacker who can coerce another user to inspect the injected saved search would have the potential to hijack the attacked users entire Splunk session. In the event that this user is an administrative user, this could have significant consequences for the security of the entire Splunk instance.
Update to Splunk Enterprise version 6.1.4, 6.0.6 or 5.0.10 or greater to resolve this issue.