------------------------------------------------------------------------ Cross-Site Scripting vulnerability in EMC M&R (Watch4net) Alerting Frontend ------------------------------------------------------------------------ Han Sahin, November 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability was found in EMC M&R (Watch4net) Alerting Frontend. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes, or exploit issues in other areas of Watch4net. ------------------------------------------------------------------------ Affected products ------------------------------------------------------------------------ EMC reports that the following products are affected by this vulnerability: - EMC M&R (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - CVE-2015-0513 - ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ EMC released the following updated versions that resolve this vulnerability: - EMC M&R (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20141104/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__alerting_frontend.html
