Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
31 Aug 2016 Closed Medium 6.9 SYM16-014
Symantec has addressed an issue found in the GeoTrust Security Center Management portal used for issuing digital SSL/TLS certificates. The portal was vulnerable to a blind cross site scripting (XSS) attack due to a failure to properly sanitize user-supplied input. This could potentially allow an attacker to gain unauthorized information and management tools available through the GeoTrust Security Center portal.
Symantec GeoTrust Security Center
Product is already update (hosted solution). No manual update or patching is required.
Symantec GeoTrust Security Center Management Console Blind Cross-Site Scripting Vulnerability
The Symantec GeoTrust Security Center Management Console is vulnerable to a Blind XSS issue. XSS issues may arise when user input and server output is insufficiently validated and sanitized.
During the initial registration on Security Center the malicious user supplies specifically-formatted input to one of the required user-input fields. Following registration, this payload is stored in the backend systems and remains dormant till an internal user accessed a user-action page on the internal Security Center site and, unknown to them, triggers the specifically-formatted script. Unlike in normal blind XSS attacks, an attacker taking advantage of this vulnerability may be able to control, to some extent, the target output location for the payload script. Therefore an attacker with sufficient knowledge of the site may be able to use this vulnerability to gain access to areas which they are not normally permitted.
Symantec engineers verified and resolved this issue, performing additional extensive testing of all site content. No customer upgrade is required.
Symantec is not aware of exploitation of or adverse impact from this finding.
Matthew Bryant (aka Mandatory)
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.