CVE-2011-3684

Name of the Vulnerable Software and Affected Versions Tembria Server Monitor versions prior to 6.0.5 Build 2252

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different ASP pages, including siteid to multiple pages, action to site-list.asp, siteid or type to event-history.asp and admin-history.asp, siteid or id to dashboard-view.asp, siteid or dn to device-events.asp, siteid or submit to device-finder.asp, siteid or dn to device-monitors.asp, siteid or type to device-views.asp and monitor-views.asp, and siteid, action, or sel to reports-list.asp, monitor-list.asp, and device-list.asp.

Recommendations For Tembria Server Monitor versions prior to 6.0.5 Build 2252, update to version 6.0.5 Build 2252 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable ASP pages until a patch is available. Avoid using the vulnerable parameters, such as siteid, action, type, id, dn, submit, and sel, in the affected API endpoints until the issue is resolved.