VTS24-013
Cross-Site Scripting Vulnerabilities in Veritas Enterprise Vault
Revision History
- 1.0: November 12, 2024: Initial version
- 2.0: November 19, 2024: CVE ID added
- 3.0: December 3, 2024: 14.5.2 added
Summary
A vulnerability was discovered in the Veritas Enterprise Vault versions 15.1, and prior. It allows an authenticated remote attacker to inject a parameter into an HTTP request, allowing for Cross-Site Scripting while viewing archived content. This could reflect back to an authenticated user without sanitization if executed by that user.
Issue Description | Severity | Identifier | CVE ID | |
---|---|---|---|---|
1 |
Cross-Site Scripting Vulnerability |
Medium |
ZDI-CAN-24695 |
|
2 |
Cross-Site Scripting Vulnerability |
Medium |
ZDI-CAN-24696 |
|
3 |
Cross-Site Scripting Vulnerability |
Medium |
ZDI-CAN-24697 |
|
4 |
Cross-Site Scripting Vulnerability |
Medium |
ZDI-CAN-24698 |
Issue
CVE ID: See above
Severity: Medium
CVSS v3.1 Base Score 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected Versions
All currently supported versions of Enterprise Vault versions: 15.1, 15.0, 15.0.1, 15.0.2, 14.5, 14.5.2, 14.5.1, 14.4, 14.4.1, 14.4.2, 14.3, 14.3.1, 14.3.2, 14.2, 14.2.3, 14.2.2, 14.2.1, 14.1.3, 14.1.2, 14.1.1, 14.1, 14.0.1, 14.0. Earlier unsupported versions may be affected as well.
Remediation
Use the following links to obtain the security patches built for versions 14.5.2, 15.0 and 15.1. Review the Readme for detailed Installation steps and ensure that these patches are applied to all Enterprise Vault servers in the environment. Customers running on older versions of the product are advised to plan their upgrades accordingly.
Enterprise Vault 14.5.2 - Cross-Site Scripting Vulnerabilities Fixes
https://www.veritas.com/support/en_US/downloads/update.UPD287322
Enterprise Vault 15.0.2 - Cross-Site Scripting Vulnerabilities Fixes
https://www.veritas.com/support/en_US/downloads/update.UPD368184
Enterprise Vault 15.1 - Cross-Site Scripting Vulnerabilities Fixes
https://www.veritas.com/support/en_US/downloads/update.UPD882911
Questions
For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)
Acknowledgement
Veritas would like to thank Sina Kheirkhah working with Trend Micro’s Zero Day Initiative (ZDI) for notifying us of these vulnerabilities.
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054