Initial Publication Date: Advisory Status: Advisory Severity: Legacy ID
12 Dec 2012 Closed High
All versions of Reporter prior to 9.4 are vulnerable. Windows, Linux, and Virtual Appliance versions are all vulnerable.
Reporter 9.3 – a fix is available in 126.96.36.199 for Windows, Linux and Virtual Reporter versions.
Reporter 9.2 and earlier – please upgrade to a later version.
Reporter 8.3 and earlier – please upgrade to a later version.
No CVE has been assigned at this time.
Reporter is vulnerable to reflected (non-persistent) cross site scripting (XSS) attacks. User provided data is not validated or sanitized prior to returning it in response to methods issued from the client. The CVSS score for the cross site scripting vulnerability is 2.3 (AV:A/AC:M/Au:S/C:N/I:P/A:N).
Reporter is also vulnerable to cross site request forgery (CSRF) through a variety of mechanisms. An attacker who lures a Reporter administrator to browse a malicious website can use cross site request forgery (CSRF) to submit commands to Reporter and gain control of the product. Commands that the attacker can submit include changing the password, changing the policy, and restarting the product. The CVSS score for the CSRF vulnerability is 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C).
Customers can limit the impact of this vulnerability in these ways:
Access Reporter using a dedicated machine that does not connect to any other internal or external websites.
Update your browser regularly to take advantage of browser based protections.
Always log out and close the browser window when management tasks have been completed.