Product Support

Vulnerability Report - Data Exchange Management Studio has a Cross Site Scripting vulnerability in the UI interface

 
Unisys ID: UIS-2021-1
Status: Published
CVE-ID: CVE-2020-35542
Affected Product: Data Exchange
Affected Version: 5.0.34 and earlier versions
Impact: HIGH
CVSS v3.1 Base Score: 7.6
CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L  v3 Calculator
CVSS v2.0 Base Score: 7.4
CVSS v2.0 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P  v2 Calculator
CVSS Temporal Score: 7.3
Common Weakness Enumeration (CWE):  79
Common Platform Enumeration (CPE):  cpe:2.3:a:unisys:data_exchange:5.0.34:*:*:*:*:*:*:*
Source: Client Reported
Keyword(s): XSS, DEMS
Vulnerability Description:
Data Exchange Management Studio doesn't sanitize the input to a HTML document field which could be used for a cross-site scripting attack.
System Configuration:
Data Exchange 5.0 IC3 (5.0.34) and earlier versions
Impact of Exploiting Vulnerability:
Data Exchange Management Studio UI or internal database may be compromised resulting in non-functional Manager software.
Remediation Description:
Data Exchange 5.0 IC4 (5.0.41) sanitizes the input to a HTML document field and disallows the script input.
Workaround Information:
Not available.
References:
PLE 19299406
Additional Vendor Comment:
 
 
 

Disclaimer:

Unisys Corporation provides the information in this Security Vulnerability Report “AS IS.” No warranties of any nature are extended by or for the information. Unisys disclaims any financial or other responsibility that may result from your use of the information, including direct, indirect, special, or consequential damages.


Paper copies are not controlled and may be out of date; reference the Product Support Web site for current data.