Multiple BlackBerry Products CVE-2017-3894 HTML Injection Vulnerability

Multiple BlackBerry Products are prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Successful exploits will result in the execution of arbitrary attacker-supplied HTML and script code in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the page is rendered to the user. Other attacks are also possible.

The following products are affected:

Unified Endpoint Manager version 12.6.1 and prior.
All versions of BlackBerry Enterprise Service (BES) 12.

Information

Bugtraq ID: 98552
Class: Input Validation Error
CVE: CVE-2017-3894

Remote: Yes
Local: No
Published: May 10 2017 12:00AM
Updated: May 24 2017 02:00PM
Credit: The vendor reported this issue.
Vulnerable: BlackBerry Unified Endpoint Manager 12.6.1
BlackBerry Unified Endpoint Manager 12.6
BlackBerry Enterprise Service 12.5.1
BlackBerry Enterprise Service 12.2.1
BlackBerry Enterprise Service 12.2
BlackBerry Enterprise Service 12.1
BlackBerry Enterprise Service 12.0.1
BlackBerry Enterprise Service 12.1
BlackBerry Enterprise Service 12.0

Not Vulnerable: BlackBerry Unified Endpoint Manager 12.6.2

Exploit

An attacker can exploit this issue using a web browser.

References:

• BlackBerry Homepage (BlackBerry)
  
• BSRT-2017-004 Vulnerability in UEM Management Console impacts UEM (blackberry)
  

Source: www.securityfocus.com