CVE-2012-2292
published 2013-02-06CVE-2012-2292: The Silverlight cross-domain policy in EMC RSA Archer SmartSuite Framework 4.x and RSA Archer GRC 5.x before 5.2SP1 does not restrict access to the Archer…
PriorityP336high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
1.43%
69.7th percentile
The Silverlight cross-domain policy in EMC RSA Archer SmartSuite Framework 4.x and RSA Archer GRC 5.x before 5.2SP1 does not restrict access to the Archer application, which allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emc | rsa_archer_egrc | — | — |
| emc | rsa_archer_egrc | — | — |
| emc | rsa_archer_egrc | — | — |
| emc | rsa_archer_smartsuite | — | — |
| emc | rsa_archer_smartsuite | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Permissive Cross-domain Security Policy with Untrusted Domains
mitre_cwe
CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains
CWE-942: Permissive Cross-domain Security Policy with Untrusted Domains
The product uses a web-client protection
mechanism such as a Content Security Policy (CSP) or
cross-domain policy file, but the policy includes untrusted
domains with which the web client is allowed to
communicate.
If a cross-domain policy file includes domains
that should not be trusted, such as when using wildcards
under a high-level domain, then the application could be
attacked by these untrusted domains. In many cases, the
attack can be launched without the victim even being aware
of it.
Background: In HTTP/HTTPS, policies such as the Same Origin
Policy prevent web clients from loading resources from
(or making requests to) domains that did not match the
web site's own domain, e.g., Javascript or other code
hos
CWE
Improper Restriction of Communication Channel to Intended Endpoints
mitre_cwe
CWE-923 Improper Restriction of Communication Channel to Intended Endpoints
CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint. While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness.
Modes of Introduction:
Phase: Architecture and Design
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Integrity, C
2013-02-06
Published