CVE-2013-5300

Name of the Vulnerable Software and Affected Versions AlienVault Open Source Security Information Management (OSSIM) versions prior to 4.3.0

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via several parameters, including the withoutmenu parameter to "/vulnmeter/index.php" or "/vulnmeter/sched.php", the section parameter to "av inventory/task edit.php", the profile parameter to "nfsen/rrdgraph.php", or the scan server or targets parameters to "vulnmeter/simulate.php".

Recommendations For versions prior to 4.3.0, update to version 4.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "/vulnmeter/index.php", "/vulnmeter/sched.php", "av inventory/task edit.php", "nfsen/rrdgraph.php", and "vulnmeter/simulate.php", until the update can be applied. Avoid using the vulnerable parameters withoutmenu, section, profile, scan server, and targets in the affected endpoints until the issue is resolved.