Vulnerability Details : CVE-2013-7025
Multiple cross-site scripting (XSS) vulnerabilities in ematStaticAlertTypes.jsp in the Alert Settings section in Dell SonicWALL Global Management System (GMS), Analyzer, and UMA EM5000 7.1 SP1 before Hotfix 134235 allow remote authenticated users to inject arbitrary web script or HTML via the (1) valfield_1 or (2) value_1 parameter to createNewThreshold.jsp.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2013-7025
Probability of exploitation activity in the next 30 days: 0.63%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 76 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-7025
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST |
CWE ids for CVE-2013-7025
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-7025
-
http://archives.neohapsis.com/archives/bugtraq/2013-12/0022.html
Third Party Advisory
-
http://seclists.org/fulldisclosure/2013/Dec/32
Full Disclosure: Sonicwall GMS v7.x - Filter Bypass & Persistent VulnerabilityExploit;Mailing List;Third Party Advisory
-
http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_Hotfix_134235.pdf
Page Not FoundVendor Advisory
-
http://www.securitytracker.com/id/1029433
SonicWALL GMS/Analyzer/UMA Input Validation Flaw in 'Alert Settings' Request Permits Cross-Site Scripting Attacks - SecurityTrackerThird Party Advisory;VDB Entry
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/89462
DELL SonicWALL ematStaticAlertTypes.jsp cross-site scripting CVE-2013-7025 Vulnerability ReportVDB Entry
-
http://www.vulnerability-lab.com/get_content.php?id=1099
Exploit
-
http://www.securityfocus.com/bid/64103
Multiple Dell SonicWALL Products Multiple HTML Injection VulnerabilitiesExploit;Third Party Advisory;VDB Entry
-
http://www.exploit-db.com/exploits/30054
SonicWALL Gms 7.x - Filter Bypass / Persistent - JSP webapps ExploitExploit;Third Party Advisory;VDB Entry
Products affected by CVE-2013-7025
- cpe:2.3:a:sonicwall:analyzer:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:analyzer:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:analyzer:7.1:sp1:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:global_management_system:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:global_management_system:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:global_management_system:7.1:sp1:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:uma_e5000_firmware:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:uma_e5000_firmware:7.1:sp1:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:uma_e5000_firmware:7.1:*:*:*:*:*:*:*