Overview
NetScreen Instant Virtual Extranet (IVE) platform contains a cross-site scripting vulnerability in the row parameter of delhomepage.cgi, which could allow an attacker to mount a cross-site scripting attack.
Description
The Instant Virtual Extranet platform is an application security gateway that includes a built-in web server. The delhomepage.cgi script does not adequately validate the value of the row parameter. It is possible to use a cross-site scripting technique to inject malicious script (JavaScript, VBScript, etc.) or HTML into a web page using a specially crafted row parameter. According to NetScreen: |
Impact
A remote attacker could access sensitive information related to the vulnerable web page (cookies, form values, URI data). The attacker could also attempt to mislead the user into providing sensitive information such as login credentials. |
Solution
Apply Patch NetScreen has provided a patch to address this vulnerability. For details on obtaining the patch corresponding to your currently installed release, please refer to the NetScreen Advisory. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported by Mark Lachniet.
This document was written by Damon Morda.
Other Information
| CVE IDs: | None |
| Severity Metric: | 1.03 |
| Date Public: | 2004-03-02 |
| Date First Published: | 2004-03-09 |
| Date Last Updated: | 2004-03-09 21:24 UTC |
| Document Revision: | 12 |