製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の Dell SonicWALL 製品の Alert Settings セクションにおけるクロスサイトスクリプティングの脆弱性

Title	複数の Dell SonicWALL 製品の Alert Settings セクションにおけるクロスサイトスクリプティングの脆弱性
Summary	Dell SonicWALL Global Management System (GMS)、Analyzer、および UMA EM5000 の Alert Settings セクションの ematStaticAlertTypes.jsp には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、createNewThreshold.jsp の (1) valfield_1 または (2) value_1 パラメータを介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 5, 2013, midnight
Registration Date	Dec. 16, 2013, 3:32 p.m.
Last Update	Dec. 16, 2013, 3:32 p.m.

CVSS2.0 : 注意
Score	3.5
Vector	AV:N/AC:M/Au:S/C:N/I:P/A:N

Affected System

デル

Dell SonicWALL Analyzer 7.1 SP1 Hotfix 134235 未満の 7.x

Dell SonicWALL Global Management System 7.1 SP1 Hotfix 134235 未満の 7.x

Dell SonicWALL Universal Management Appliance E5000

Dell SonicWALL Universal Management Appliance E5000 ソフトウェア 7.1 SP1 Hotfix 134235 未満の 7.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-7025	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7025
National Vulnerability Database (NVD)
2	CVE-2013-7025	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7025

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Service Bulletin
1	Dell SonicWALL GMS Service Bulletin for Cross-Site Scripting Vulnerability	http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_Hotfix_134235.pdf
2	クロスサイトスクリプティング脆弱性に関する Dell SonicWALL GMS サービス速報	http://www.sonicwall.com/japan/support/support_notice131209.html

その他

No	Name	URL
関連文書
1	Sonicwall GMS v7.x - Filter Bypass & Persistent Vulnerability	http://www.vulnerability-lab.com/get_content.php?id=1099

Change Log

No	Changed Details	Date of change
0	[2013年12月16日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-7025

Summary	Multiple cross-site scripting (XSS) vulnerabilities in ematStaticAlertTypes.jsp in the Alert Settings section in Dell SonicWALL Global Management System (GMS), Analyzer, and UMA EM5000 7.1 SP1 before Hotfix 134235 allow remote authenticated users to inject arbitrary web script or HTML via the (1) valfield_1 or (2) value_1 parameter to createNewThreshold.jsp.
Publication Date	Dec. 10, 2013, 1:36 a.m.
Registration Date	Jan. 26, 2021, 3:49 p.m.
Last Update	Nov. 21, 2024, 11 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:sonicwall:analyzer:7.0:::::::*
cpe:2.3:a:sonicwall:analyzer:7.1:::::::*
cpe:2.3:a:sonicwall:analyzer:7.1:sp1::::::
cpe:2.3:a:sonicwall:global_management_system:7.0:::::::*
cpe:2.3:a:sonicwall:global_management_system:7.1:::::::*
cpe:2.3:a:sonicwall:global_management_system:7.1:sp1::::::

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:sonicwall:uma_e5000_firmware:7.0:::::::*
cpe:2.3:o:sonicwall:uma_e5000_firmware:7.1:::::::*
cpe:2.3:o:sonicwall:uma_e5000_firmware:7.1:sp1::::::
execution environment
1	cpe:2.3:h:sonicwall:uma_e5000:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://archives.neohapsis.com/archives/bugtraq/2013-12/0022.html	Third Party Advisory
2	http://archives.neohapsis.com/archives/bugtraq/2013-12/0022.html	Third Party Advisory
3	http://osvdb.org/100610	Broken Link
4	http://osvdb.org/100610	Broken Link
5	http://seclists.org/fulldisclosure/2013/Dec/32	Exploit Mailing List Third Party Advisory
6	http://seclists.org/fulldisclosure/2013/Dec/32	Exploit Mailing List Third Party Advisory
7	http://secunia.com/advisories/55923	Third Party Advisory
8	http://secunia.com/advisories/55923	Third Party Advisory
9	http://www.exploit-db.com/exploits/30054	Exploit Third Party Advisory VDB Entry
10	http://www.exploit-db.com/exploits/30054	Exploit Third Party Advisory VDB Entry
11	http://www.securityfocus.com/bid/64103	Exploit Third Party Advisory VDB Entry
12	http://www.securityfocus.com/bid/64103	Exploit Third Party Advisory VDB Entry
13	http://www.securitytracker.com/id/1029433	Third Party Advisory VDB Entry
14	http://www.securitytracker.com/id/1029433	Third Party Advisory VDB Entry
15	http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_Hotfix_134235.pdf	Vendor Advisory
16	http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_Hotfix_134235.pdf	Vendor Advisory
17	http://www.vulnerability-lab.com/get_content.php?id=1099	Exploit
18	http://www.vulnerability-lab.com/get_content.php?id=1099	Exploit
19	https://exchange.xforce.ibmcloud.com/vulnerabilities/89462	VDB Entry
20	https://exchange.xforce.ibmcloud.com/vulnerabilities/89462	VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:sonicwall:analyzer:7.0:::::::*
cpe:2.3:a:sonicwall:analyzer:7.1:::::::*
cpe:2.3:a:sonicwall:analyzer:7.1:sp1::::::
cpe:2.3:a:sonicwall:global_management_system:7.0:::::::*
cpe:2.3:a:sonicwall:global_management_system:7.1:::::::*
cpe:2.3:a:sonicwall:global_management_system:7.1:sp1::::::