Sign-up

ID

VAR-201211-0108


CVE

CVE-2012-5920


TITLE

Google Web Toolkit Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2012-005447

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Google Web Toolkit (GWT) 2.4 through 2.5 Final, as used in JBoss Operations Network (ON) 3.1.1 and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2012-4563. The problem is CVE-2012-4563 This is due to an incomplete fix.By any third party Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: JBoss Operations Network 3.1.2 update Advisory ID: RHSA-2013:0187-01 Product: JBoss Operations Network Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0187.html Issue date: 2013-01-23 CVE Names: CVE-2012-5920 ===================================================================== 1. Summary: JBoss Operations Network 3.1.2, which fixes one security issue and several bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Operations Network (JBoss ON) is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss ON 3.1.2 release serves as a replacement for JBoss ON 3.1.1, and includes several bug fixes. Refer to the JBoss ON 3.1.2 Release Notes for information on the most significant of these changes. (CVE-2012-5920) Warning: Before applying the update, back up your existing JBoss ON installation (including its databases, applications, configuration files, the JBoss ON server's file system directory, and so on). All users of JBoss Operations Network 3.1.1 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Operations Network 3.1.2. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss ON installation (including its databases, applications, configuration files, the JBoss ON server's file system directory, and so on). Refer to the JBoss Operations Network 3.1.2 Release Notes for installation information. 4. Bugs fixed (http://bugzilla.redhat.com/): 871690 - CVE-2012-5920 GWT: unknown XSS flaw 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5920.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=3.1.2 https://developers.google.com/web-toolkit/release-notes#Release_Notes_Current https://access.redhat.com/knowledge/docs/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRAFsuXlSAg2UNWIIRAoIpAJ41lcJfSCnjLt/MuybQPPRyssfrJQCfcUU5 QcJou7EXNnVFLk5ejl/pb58= =bfcd -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 1.98

sources: NVD: CVE-2012-5920 // JVNDB: JVNDB-2012-005447 // BID: 57538 // PACKETSTORM: 119755

AFFECTED PRODUCTS

vendor:googlemodel:web toolkitscope:eqversion:2.4

Trust: 1.6

vendor:googlemodel:web toolkitscope:eqversion:2.5.0

Trust: 1.6

vendor:googlemodel:web toolkitscope:eqversion:2.4.0

Trust: 1.6

vendor:googlemodel:web toolkitscope:eqversion:2.4 to 2.5 final

Trust: 0.8

vendor:schneider electricmodel:trio tview softwarescope:eqversion:3.27.0

Trust: 0.3

vendor:googlemodel:web toolkit betascope:eqversion:2.4

Trust: 0.3

vendor:schneider electricmodel:trio tview softwarescope:neversion:3.29.0

Trust: 0.3

vendor:googlemodel:web toolkit gascope:neversion:2.5

Trust: 0.3

sources: BID: 57538 // JVNDB: JVNDB-2012-005447 // CNNVD: CNNVD-201211-356 // NVD: CVE-2012-5920

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2012-5920
value: MEDIUM

Trust: 1.0

NVD: CVE-2012-5920
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201211-356
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2012-5920
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2012-005447 // CNNVD: CNNVD-201211-356 // NVD: CVE-2012-5920

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2012-005447 // NVD: CVE-2012-5920

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201211-356

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201211-356

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2012-005447

PATCH
title:Google Web Toolkit Release Notesurl:https://developers.google.com/web-toolkit/release-notes
Trust: 0.8
title:RHSA-2013:0187url:http://rhn.redhat.com/errata/RHSA-2013-0187.html
Trust: 0.8
title:GWT 2.5.1url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=45889
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2012-005447 // 
            
            
            
            CNNVD: CNNVD-201211-356

EXTERNAL IDS
db:NVDid:CVE-2012-5920
Trust: 2.8
db:BIDid:57538
Trust: 1.3
db:OPENWALLid:OSS-SECURITY/2012/10/31/1
Trust: 1.0
db:JVNDBid:JVNDB-2012-005447
Trust: 0.8
db:CNNVDid:CNNVD-201211-356
Trust: 0.6
db:ICS CERTid:ICSA-17-213-02
Trust: 0.3
db:PACKETSTORMid:119755
Trust: 0.1
sources:
            
            
            BID: 57538 // 
            
            
            
            JVNDB: JVNDB-2012-005447 // 
            
            
            
            PACKETSTORM: 119755 // 
            
            
            
            CNNVD: CNNVD-201211-356 // 
            
            
            
            NVD: CVE-2012-5920

REFERENCES
url:http://rhn.redhat.com/errata/rhsa-2013-0187.html
Trust: 1.1
url:http://www.securityfocus.com/bid/57538
Trust: 1.0
url:https://developers.google.com/web-toolkit/release-notes#release_notes_2_4_0
Trust: 1.0
url:http://www.openwall.com/lists/oss-security/2012/10/31/1
Trust: 1.0
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/80331
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-5920
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-5920
Trust: 0.8
url:https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-in-google-web-toolkit-may-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2012-5920/
Trust: 0.6
url:https://developers.google.com/web-toolkit/release-notes#release_notes_current
Trust: 0.4
url:https://developers.google.com/web-toolkit/
Trust: 0.3
url:https://ics-cert.us-cert.gov/advisories/icsa-17-213-02
Trust: 0.3
url:https://www.redhat.com/mailman/listinfo/rhsa-announce
Trust: 0.1
url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=em&version=3.1.2
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2012-5920
Trust: 0.1
url:https://access.redhat.com/knowledge/docs/
Trust: 0.1
url:http://bugzilla.redhat.com/):
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2012-5920.html
Trust: 0.1
url:https://access.redhat.com/security/updates/classification/#moderate
Trust: 0.1
url:https://access.redhat.com/security/team/contact/
Trust: 0.1
sources:
            
            
            BID: 57538 // 
            
            
            
            JVNDB: JVNDB-2012-005447 // 
            
            
            
            PACKETSTORM: 119755 // 
            
            
            
            CNNVD: CNNVD-201211-356 // 
            
            
            
            NVD: CVE-2012-5920

CREDITS
Google
Trust: 0.3
sources:
            
            
            BID: 57538

SOURCES
db:BIDid:57538
db:JVNDBid:JVNDB-2012-005447
db:PACKETSTORMid:119755
db:CNNVDid:CNNVD-201211-356
db:NVDid:CVE-2012-5920

LAST UPDATE DATE
2024-11-23T21:07:02.039000+00:00

SOURCES UPDATE DATE
db:BIDid:57538date:2017-08-03T11:09:00
db:JVNDBid:JVNDB-2012-005447date:2016-02-16T00:00:00
db:CNNVDid:CNNVD-201211-356date:2021-01-15T00:00:00
db:NVDid:CVE-2012-5920date:2024-11-21T01:45:32.577

SOURCES RELEASE DATE
db:BIDid:57538date:2013-01-24T00:00:00
db:JVNDBid:JVNDB-2012-005447date:2012-11-21T00:00:00
db:PACKETSTORMid:119755date:2013-01-24T01:45:38
db:CNNVDid:CNNVD-201211-356date:2012-11-20T00:00:00
db:NVDid:CVE-2012-5920date:2012-11-20T00:55:01.430