EMC Identifier: ESA-2013-015
CVE Identifier: CVE-2013-0932, CVE-2013-0933, CVE-2013-0934
Severity Rating: CVSS v2 Base Score: See below for individual scores
Affected Products:
RSA Archer version 5.x
Archer Smart Suite Framework version 4.x
Unaffected Products:
none
Summary:
RSA Archer GRC 5.3SP1 platform contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.
Details:
The vulnerabilities addressed in RSA Archer GRC5.3SP1 are:
- Arbitrary file upload vulnerability (CVE-2013-0932)
This vulnerability may allow an authenticated user to bypass existing security controls and upload arbitrary files to the Archer platform including files with dangerous type.
CVSSv2 Base Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C).
- Multiple cross-site scripting vulnerabilities (CVE-2013-0933)
These vulnerabilities can be exploited to execute arbitrary HTML and script code in an RSA Archer users browser session in context of an affected RSA Archer application.
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
- Improper authorization vulnerability (CVE-2013-0934)
This vulnerability may allow an unauthorized Archer user to modify global reports.
CVSSv2 Base Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
Recommendation:
RSA strongly recommends all customers upgrade to RSA Archer GRC v5.3SP1 at their earliest opportunity.
