VTS24-013

Cross-Site Scripting Vulnerabilities in Veritas Enterprise Vault

Revision History

  • 1.0: November 12, 2024: Initial version
  • 2.0: November 19, 2024: CVE ID added
  • 3.0: December 3, 2024: 14.5.2 added

Summary

A vulnerability was discovered in the Veritas Enterprise Vault versions 15.1, and prior. It allows an authenticated remote attacker to inject a parameter into an HTTP request, allowing for Cross-Site Scripting while viewing archived content. This could reflect back to an authenticated user without sanitization if executed by that user.

  Issue Description Severity Identifier CVE ID

1

Cross-Site Scripting Vulnerability

Medium

ZDI-CAN-24695

CVE-2024-52941

2

Cross-Site Scripting Vulnerability

Medium

ZDI-CAN-24696

CVE-2024-52942

3

Cross-Site Scripting Vulnerability

Medium

ZDI-CAN-24697

CVE-2024-52943

4

Cross-Site Scripting Vulnerability

Medium

ZDI-CAN-24698

CVE-2024-52944

 

Issue

CVE ID: See above
Severity: Medium
CVSS v3.1 Base Score 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Versions

All currently supported versions of Enterprise Vault versions: 15.1, 15.0, 15.0.1, 15.0.2, 14.5, 14.5.2, 14.5.1, 14.4, 14.4.1, 14.4.2, 14.3, 14.3.1, 14.3.2, 14.2, 14.2.3, 14.2.2, 14.2.1, 14.1.3, 14.1.2, 14.1.1, 14.1, 14.0.1, 14.0. Earlier unsupported versions may be affected as well.

Remediation

Use the following links to obtain the security patches built for versions 14.5.2, 15.0 and 15.1. Review the Readme for detailed Installation steps and ensure that these patches are applied to all Enterprise Vault servers in the environment. Customers running on older versions of the product are advised to plan their upgrades accordingly.

Enterprise Vault 14.5.2 - Cross-Site Scripting Vulnerabilities Fixes

https://www.veritas.com/support/en_US/downloads/update.UPD287322

Enterprise Vault 15.0.2 - Cross-Site Scripting Vulnerabilities Fixes

https://www.veritas.com/support/en_US/downloads/update.UPD368184

Enterprise Vault 15.1 - Cross-Site Scripting Vulnerabilities Fixes

https://www.veritas.com/support/en_US/downloads/update.UPD882911

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

Acknowledgement

Veritas would like to thank Sina Kheirkhah working with Trend Micro’s Zero Day Initiative (ZDI) for notifying us of these vulnerabilities.

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054