Sign-up

ID

VAR-201407-0223


CVE

CVE-2014-5024


TITLE

plural Dell SonicWALL Product sgms/panelManager Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-003574

DESCRIPTION

Cross-site scripting (XSS) vulnerability in sgms/panelManager in Dell SonicWALL GMS, Analyzer, and UMA before 7.2 SP1 allows remote attackers to inject arbitrary web script or HTML via the node_id parameter. Multiple Dell SonicWALL Products are prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The following products are vulnerable: Dell SonicWALL Global Management System Dell SonicWALL Analyzer Dell SonicWALL Universal Managemnet Appliance. GMS is a global management system for rapid deployment and centralized management of SonicWALL infrastructure. Analyzer is a set of network analyzer software for SonicWALL infrastructure. UMA is a set of universal management device software. I. VULNERABILITY ------------------------- Reflected XSS vulnerabilities in DELL SonicWALL GMS 7.2 Build: 7221.1701 II. BACKGROUND ------------------------- Dell® SonicWALL® provides intelligent network security and data protection solutions that enable customers and partners to dynamically secure, control, and scale their global networks. III. DESCRIPTION ------------------------- Has been detected a Reflected XSS vulnerability in DELL SonicWALL GMS. The code injection is done through the parameter "node_id" in the page “/sgms/panelManager?level=1&typeOfUnits=2&node_name=GlobalView&node_id=(HERE XSS)” IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter “node_ID” correctly. https://10.200.210.222:8443/sgms/panelManager?level=1&typeOfUnits=2&node_name=GlobalView&node_id=aaaaaaa'</script><body onload=alert(document.cookie)>&panelidz=0,4#tabs-4 V. VI. SYSTEMS AFFECTED ------------------------- Tested DELL SonicWALL Analyzer v7.2 (build 7220.1700) VII. SOLUTION ------------------------- https://support.software.dell.com/product-notification/128245 By William Costa william.costa@gmail.com

Trust: 2.07

sources: NVD: CVE-2014-5024 // JVNDB: JVNDB-2014-003574 // BID: 68829 // VULHUB: VHN-72965 // PACKETSTORM: 127575

AFFECTED PRODUCTS

vendor:sonicwallmodel:uma em5000scope:eqversion: -

Trust: 1.6

vendor:sonicwallmodel:analyzerscope:lteversion:7.2

Trust: 1.0

vendor:sonicwallmodel:global management systemscope:lteversion:7.2

Trust: 1.0

vendor:dellmodel:sonicwall analyzerscope:ltversion:7.2 sp1

Trust: 0.8

vendor:dellmodel:sonicwall global management systemscope:ltversion:7.2 sp1

Trust: 0.8

vendor:dellmodel:sonicwall e-class universal management appliance em5000scope:ltversion:7.2 sp1

Trust: 0.8

vendor:sonicwallmodel:global management systemscope:eqversion:7.2

Trust: 0.6

vendor:sonicwallmodel:analyzerscope:eqversion:7.2

Trust: 0.6

sources: JVNDB: JVNDB-2014-003574 // CNNVD: CNNVD-201407-611 // NVD: CVE-2014-5024

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-5024
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-5024
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201407-611
value: MEDIUM

Trust: 0.6

VULHUB: VHN-72965
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-5024
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-72965
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-72965 // JVNDB: JVNDB-2014-003574 // CNNVD: CNNVD-201407-611 // NVD: CVE-2014-5024

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-72965 // JVNDB: JVNDB-2014-003574 // NVD: CVE-2014-5024

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-611

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 127575 // CNNVD: CNNVD-201407-611

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-003574

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-72965

PATCH
title:GMS/Analyzer/UMA Reflected XSS Vulnerability Resolutionurl:https://support.software.dell.com/product-notification/128245
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-003574

EXTERNAL IDS
db:NVDid:CVE-2014-5024
Trust: 2.8
db:BIDid:68829
Trust: 2.0
db:PACKETSTORMid:127575
Trust: 1.8
db:SECUNIAid:60287
Trust: 1.1
db:JVNDBid:JVNDB-2014-003574
Trust: 0.8
db:CNNVDid:CNNVD-201407-611
Trust: 0.7
db:VULHUBid:VHN-72965
Trust: 0.1
sources:
            
            
            VULHUB: VHN-72965 // 
            
            
            
            BID: 68829 // 
            
            
            
            JVNDB: JVNDB-2014-003574 // 
            
            
            
            PACKETSTORM: 127575 // 
            
            
            
            CNNVD: CNNVD-201407-611 // 
            
            
            
            NVD: CVE-2014-5024

REFERENCES
url:http://seclists.org/fulldisclosure/2014/jul/125
Trust: 2.5
url:https://support.software.dell.com/product-notification/128245
Trust: 1.8
url:http://www.securityfocus.com/bid/68829
Trust: 1.7
url:http://packetstormsecurity.com/files/127575/sonicwall-gms-7.2-build-7221.1701-cross-site-scripting.html
Trust: 1.7
url:http://secunia.com/advisories/60287
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5024
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5024
Trust: 0.8
url:https://10.200.210.222:8443/sgms/panelmanager?level=1&typeofunits=2&node_name=globalview&node_id=aaaaaaa'</script><body
Trust: 0.1
sources:
            
            
            VULHUB: VHN-72965 // 
            
            
            
            JVNDB: JVNDB-2014-003574 // 
            
            
            
            PACKETSTORM: 127575 // 
            
            
            
            CNNVD: CNNVD-201407-611 // 
            
            
            
            NVD: CVE-2014-5024

CREDITS
William Costa
Trust: 0.4
sources:
            
            
            BID: 68829 // 
            
            
            
            PACKETSTORM: 127575

SOURCES
db:VULHUBid:VHN-72965
db:BIDid:68829
db:JVNDBid:JVNDB-2014-003574
db:PACKETSTORMid:127575
db:CNNVDid:CNNVD-201407-611
db:NVDid:CVE-2014-5024

LAST UPDATE DATE
2025-04-13T23:14:46.272000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-72965date:2018-03-12T00:00:00
db:BIDid:68829date:2014-07-22T00:00:00
db:JVNDBid:JVNDB-2014-003574date:2014-07-28T00:00:00
db:CNNVDid:CNNVD-201407-611date:2014-07-25T00:00:00
db:NVDid:CVE-2014-5024date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-72965date:2014-07-24T00:00:00
db:BIDid:68829date:2014-07-22T00:00:00
db:JVNDBid:JVNDB-2014-003574date:2014-07-28T00:00:00
db:PACKETSTORMid:127575date:2014-07-22T23:53:19
db:CNNVDid:CNNVD-201407-611date:2014-07-25T00:00:00
db:NVDid:CVE-2014-5024date:2014-07-24T14:55:09.910