cnvd - cnvd-2017-10387

CNVD-2017-10387

Vulnerability from cnvd - Published: 2017-06-20

Title

BlackBerry Unified Endpoint Manager和BES12 Management Console跨站脚本漏洞

Description

BlackBerry Unified Endpoint Manager（UEM）和BlackBerry Enterprise Manager（BES12）都是加拿大黑莓（BlackBerry）公司的产品。BlackBerry Unified Endpoint Manager（UEM）是一套企业级文件管理解决方案。BlackBerry Enterprise Manager（BES12）是一套移动设备管理解决方案。Management Console是其中的一个管理控制台程序。 BlackBerry Unified Endpoint Manager 12.6.1及之前的版本和BES12中的Management Console存在跨站脚本漏洞。远程攻击者可利用该漏洞通过诱使管理员查看上传的恶意脚本的位置在Management Console管理员的上下文中执行操作。

Severity

中

Patch Name

BlackBerry Unified Endpoint Manager和BES12 Management Console跨站脚本漏洞的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全补丁以修复该漏洞： http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000044565

Reference

http://support.blackberry.com/kb/articleDetail?language=en_US&amp;articleNumber=000044565 https://nvd.nist.gov/vuln/detail/CVE-2017-3894 http://www.securityfocus.com/bid/98552

Impacted products

Name
['Blackberry Unified Endpoint Manager <=12.6.1', 'Blackberry Enterprise Manager 12.5.0', 'Blackberry Enterprise Manager 12.5.1', 'Blackberry Enterprise Manager 12.5.2', 'Blackberry Enterprise Manager 12.4.0', 'Blackberry Enterprise Manager 12.4.1', 'Blackberry Enterprise Manager 12.3.0', 'Blackberry Enterprise Manager 12.3.1', 'Blackberry Enterprise Manager 12.2.0', 'Blackberry Enterprise Manager 12.2.1', 'Blackberry Enterprise Manager 12.1.0', 'Blackberry Enterprise Manager 12.1.1', 'Blackberry Enterprise Manager 12.1', 'Blackberry Enterprise Manager 12.0.1', 'Blackberry Enterprise Manager 12.0']

Name

['Blackberry Unified Endpoint Manager <=12.6.1', 'Blackberry Enterprise Manager 12.5.0', 'Blackberry Enterprise Manager 12.5.1', 'Blackberry Enterprise Manager 12.5.2', 'Blackberry Enterprise Manager 12.4.0', 'Blackberry Enterprise Manager 12.4.1', 'Blackberry Enterprise Manager 12.3.0', 'Blackberry Enterprise Manager 12.3.1', 'Blackberry Enterprise Manager 12.2.0', 'Blackberry Enterprise Manager 12.2.1', 'Blackberry Enterprise Manager 12.1.0', 'Blackberry Enterprise Manager 12.1.1', 'Blackberry Enterprise Manager 12.1', 'Blackberry Enterprise Manager 12.0.1', 'Blackberry Enterprise Manager 12.0']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "98552"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-3894",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3894"
    }
  },
  "description": "BlackBerry Unified Endpoint Manager\uff08UEM\uff09\u548cBlackBerry Enterprise Manager\uff08BES12\uff09\u90fd\u662f\u52a0\u62ff\u5927\u9ed1\u8393\uff08BlackBerry\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002BlackBerry Unified Endpoint Manager\uff08UEM\uff09\u662f\u4e00\u5957\u4f01\u4e1a\u7ea7\u6587\u4ef6\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002BlackBerry Enterprise Manager\uff08BES12\uff09\u662f\u4e00\u5957\u79fb\u52a8\u8bbe\u5907\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002Management Console\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7ba1\u7406\u63a7\u5236\u53f0\u7a0b\u5e8f\u3002\r\n\r\nBlackBerry Unified Endpoint Manager 12.6.1\u53ca\u4e4b\u524d\u7684\u7248\u672c\u548cBES12\u4e2d\u7684Management Console\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u8bf1\u4f7f\u7ba1\u7406\u5458\u67e5\u770b\u4e0a\u4f20\u7684\u6076\u610f\u811a\u672c\u7684\u4f4d\u7f6e\u5728Management Console\u7ba1\u7406\u5458\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u64cd\u4f5c\u3002",
  "discovererName": "Blackberry",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://support.blackberry.com/kb/articleDetail?language=en_US\u0026articleNumber=000044565",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-10387",
  "openTime": "2017-06-20",
  "patchDescription": "BlackBerry Unified Endpoint Manager\uff08UEM\uff09\u548cBlackBerry Enterprise Manager\uff08BES12\uff09\u90fd\u662f\u52a0\u62ff\u5927\u9ed1\u8393\uff08BlackBerry\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002BlackBerry Unified Endpoint Manager\uff08UEM\uff09\u662f\u4e00\u5957\u4f01\u4e1a\u7ea7\u6587\u4ef6\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002BlackBerry Enterprise Manager\uff08BES12\uff09\u662f\u4e00\u5957\u79fb\u52a8\u8bbe\u5907\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002Management Console\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7ba1\u7406\u63a7\u5236\u53f0\u7a0b\u5e8f\u3002\r\n\r\nBlackBerry Unified Endpoint Manager 12.6.1\u53ca\u4e4b\u524d\u7684\u7248\u672c\u548cBES12\u4e2d\u7684Management Console\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u8bf1\u4f7f\u7ba1\u7406\u5458\u67e5\u770b\u4e0a\u4f20\u7684\u6076\u610f\u811a\u672c\u7684\u4f4d\u7f6e\u5728Management Console\u7ba1\u7406\u5458\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "BlackBerry Unified Endpoint Manager\u548cBES12 Management Console\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Blackberry Unified Endpoint Manager \u003c=12.6.1",
      "Blackberry Enterprise Manager 12.5.0",
      "Blackberry Enterprise Manager 12.5.1",
      "Blackberry Enterprise Manager 12.5.2",
      "Blackberry Enterprise Manager 12.4.0",
      "Blackberry Enterprise Manager 12.4.1",
      "Blackberry Enterprise Manager 12.3.0",
      "Blackberry Enterprise Manager 12.3.1",
      "Blackberry Enterprise Manager 12.2.0",
      "Blackberry Enterprise Manager 12.2.1",
      "Blackberry Enterprise Manager 12.1.0",
      "Blackberry Enterprise Manager 12.1.1",
      "Blackberry Enterprise Manager 12.1",
      "Blackberry Enterprise Manager 12.0.1",
      "Blackberry Enterprise Manager 12.0"
    ]
  },
  "referenceLink": "http://support.blackberry.com/kb/articleDetail?language=en_US\u0026amp;amp;articleNumber=000044565\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-3894\r\nhttp://www.securityfocus.com/bid/98552",
  "serverity": "\u4e2d",
  "submitTime": "2017-05-16",
  "title": "BlackBerry Unified Endpoint Manager\u548cBES12 Management Console\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2017-3894 (GCVE-0-2017-3894)

Vulnerability from cvelistv5 – Published: 2017-05-10 16:00 – Updated: 2024-08-05 14:39

Summary

A stored cross site scripting vulnerability in the Management Console of BlackBerry Unified Endpoint Manager version 12.6.1 and earlier, and all versions of BES12, allows attackers to execute actions in the context of a Management Console administrator by uploading a malicious script and then persuading a target administrator to view the specific location of the malicious script within the Management Console.

Severity ?

No CVSS data available.

CWE

Assigner

blackberry

References

URL

Tags

	http://www.securityfocus.com/bid/98552	vdb-entryx_refsource_BID
	http://support.blackberry.com/kb/articleDetail?la…	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1038465	vdb-entryx_refsource_SECTRACK

Impacted products

Vendor

Product

Version

BlackBerry

Unified Endpoint Manager

Affected: before 12.6.2

BlackBerry

BES12

Affected: all versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:39:41.190Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "98552",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/98552"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://support.blackberry.com/kb/articleDetail?language=en_US\u0026articleNumber=000044565"
          },
          {
            "name": "1038465",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038465"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Unified Endpoint Manager",
          "vendor": "BlackBerry",
          "versions": [
            {
              "status": "affected",
              "version": "before 12.6.2"
            }
          ]
        },
        {
          "product": "BES12",
          "vendor": "BlackBerry",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        }
      ],
      "datePublic": "2017-05-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A stored cross site scripting vulnerability in the Management Console of BlackBerry Unified Endpoint Manager version 12.6.1 and earlier, and all versions of BES12, allows attackers to execute actions in the context of a Management Console administrator by uploading a malicious script and then persuading a target administrator to view the specific location of the malicious script within the Management Console."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "XSS",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-07T09:57:01",
        "orgId": "dbe78b00-5e7b-4fda-8748-329789ecfc5c",
        "shortName": "blackberry"
      },
      "references": [
        {
          "name": "98552",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/98552"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://support.blackberry.com/kb/articleDetail?language=en_US\u0026articleNumber=000044565"
        },
        {
          "name": "1038465",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038465"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@blackberry.com",
          "ID": "CVE-2017-3894",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Unified Endpoint Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 12.6.2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "BES12",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "BlackBerry"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A stored cross site scripting vulnerability in the Management Console of BlackBerry Unified Endpoint Manager version 12.6.1 and earlier, and all versions of BES12, allows attackers to execute actions in the context of a Management Console administrator by uploading a malicious script and then persuading a target administrator to view the specific location of the malicious script within the Management Console."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "XSS"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "98552",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/98552"
            },
            {
              "name": "http://support.blackberry.com/kb/articleDetail?language=en_US\u0026articleNumber=000044565",
              "refsource": "CONFIRM",
              "url": "http://support.blackberry.com/kb/articleDetail?language=en_US\u0026articleNumber=000044565"
            },
            {
              "name": "1038465",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038465"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dbe78b00-5e7b-4fda-8748-329789ecfc5c",
    "assignerShortName": "blackberry",
    "cveId": "CVE-2017-3894",
    "datePublished": "2017-05-10T16:00:00",
    "dateReserved": "2016-12-21T00:00:00",
    "dateUpdated": "2024-08-05T14:39:41.190Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-10387

CVE-2017-3894 (GCVE-0-2017-3894)

Tags

Sightings

Nomenclature