MidnightBSD

Advisories for rsa

CVE-1999-0834 HIGH

Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa rsaref 2.0
CVE-2000-0522 MEDIUM

RSA ACE/Server allows remote attackers to cause a denial of service by flooding the server's authentication request port with UDP packets, which causes the server to crash.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa ace_server 3.1
rsa ace_server 3.3
rsa ace_server 4.1
rsa ace_server 4.0
rsa ace_server 3.3.1
CVE-2001-1461 HIGH

Directory traversal vulnerability in WebID in RSA Security SecurID 5.0 as used by ACE/Agent for Windows, Windows NT and Windows 2000 allows attackers to access restricted resources via URL-encoded (1) /.. or (2) \.. sequences.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa securid 5.0
CVE-2001-1462 HIGH

WebID in RSA Security SecurID 5.0 as used by ACE/Agent for Windows, Windows NT and Windows 2000 allows attackers to cause the WebID agent to enter debug mode via a URL containing null characters, which may allow attackers to obtain sensitive information.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa securid 5.0
CVE-2002-0507 LOW

An interaction between Microsoft Outlook Web Access (OWA) with RSA SecurID allows local users to bypass the SecurID authentication for a previous user via several submissions of an OWA Authentication request with the proper OWA password for the previous user, which is eventually accepted by OWA.

CVSS 2.0

Severity: LOW

Problem Type: CWE-287,

Products Affected

Vendor Product Version
rsa securid 5.0
microsoft exchange_server 5.5
microsoft exchange_server 2000
CVE-2003-0389 MEDIUM

Cross-site scripting (XSS) vulnerability in the secure redirect function of RSA ACE/Agent 5.0 for Windows, and 5.x for Web, allows remote attackers to insert arbitrary web script and possibly cause users to enter a passphrase via a GET request containing the script.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa ace_agent 5.0
CVE-2005-1118 MEDIUM

Cross-site scripting (XSS) vulnerability in IISWebAgentIF.dll in the RSA Authentication Agent for Web 5.2 allows remote attackers to inject arbitrary web script or HTML via the postdata parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa authentication_agent_for_web 5.2
CVE-2005-1471 HIGH

Heap-based buffer overflow in RSA SecurID Web Agent 5, 5.2, and 5.3 allows remote attackers to execute arbitrary code via crafted chunked-encoding data.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa securid_web_agent 5.3
rsa securid_web_agent 5.2
rsa securid_web_agent 5
CVE-2005-3329 MEDIUM

Cross-site scripting (XSS) vulnerability in RSA Authentication Agent for Web 5.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the image parameter in a GetPic operation.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa authentication_agent_for_web 5.2
rsa authentication_agent_for_web 5.1.1
rsa authentication_agent_for_web *
rsa authentication_agent_for_web 5.1
CVE-2005-4734 MEDIUM

Stack-based buffer overflow in IISWebAgentIF.dll in RSA Authentication Agent for Web (aka SecurID Web Agent) 5.2 and 5.3 for IIS allows remote attackers to execute arbitrary code via a long url parameter in the Redirect method.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa authentication_agent_for_web 5.2
rsa authentication_agent_for_web 5.3
CVE-2008-7266 MEDIUM

Cross-site scripting (XSS) vulnerability in an unspecified Shockwave Flash file in RSA Adaptive Authentication 2.x and 5.7.x allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa adaptive_authentication 5.7.2
rsa adaptive_authentication 5.7.3
rsa adaptive_authentication 5.7.0
rsa adaptive_authentication 2.0
CVE-2010-2337 MEDIUM

Open redirect vulnerability in RSA Federated Identity Manager 4.0 before 4.0.25 and 4.1 before 4.1.26 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
rsa federated_identity_manager 4.1
rsa federated_identity_manager 4.0
CVE-2010-2634 MEDIUM

RSA enVision before 3.7 SP1 allows remote authenticated users to cause a denial of service via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rsa envision *
rsa envision 3.5.0
rsa envision 3.5.1
rsa envision 3.5.2
rsa envision 3.3.6_build_0115
CVE-2010-3017 MEDIUM

Unspecified vulnerability in RSA Access Manager Agent 4.7.1 before 4.7.1.7, when RSA Adaptive Authentication Integration is enabled, allows remote attackers to bypass authentication and obtain sensitive information via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rsa access_manager_agent 4.7.1
CVE-2010-3018 MEDIUM

RSA Access Manager Server 5.5.3 before 5.5.3.172, 6.0.4 before 6.0.4.53, and 6.1 before 6.1.2.01 does not properly perform cache updates, which allows remote attackers to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
rsa access_manager_server 6.1
rsa access_manager_server 6.0.4
rsa access_manager_server 5.5.3
CVE-2010-3261 MEDIUM

Directory traversal vulnerability in RSA Authentication Agent 7.0 before P2 for Web allows remote attackers to read unspecified data via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
rsa authentication_agent_for_web 5.2
rsa authentication_agent_for_web 5.1.1
rsa authentication_agent_for_web *
rsa authentication_agent_for_web 5.1
rsa authentication_agent_for_web 5.3
CVE-2010-3321 LOW

RSA Authentication Client 2.0.x, 3.0, and 3.5.x before 3.5.3 does not properly handle a SENSITIVE or NON-EXTRACTABLE tag on a secret key object that is stored on a SecurID 800 authenticator, which allows local users to bypass intended access restrictions and read keys via unspecified PKCS#11 API requests.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
rsa authentication_client 2.0
rsa authentication_client 3.5.1
rsa authentication_client 3.0
CVE-2011-0322 HIGH

Unspecified vulnerability in EMC RSA Access Manager Server 5.5.x, 6.0.x, and 6.1.x allows remote attackers to access resources via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rsa access_manager_server 6.1
rsa access_manager_server 6.1.2
rsa access_manager_server 6.0.4
rsa access_manager_server 5.5.3
rsa access_manager_server 6.1.3
CVE-2011-2736 MEDIUM

RSA enVision 4.x before 4 SP4 P3 places cleartext administrative credentials in Task Escalation e-mail messages, which allows remote attackers to obtain sensitive information by sniffing the network or leveraging access to a recipient mailbox.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
rsa envision 4.0
CVE-2011-2737 MEDIUM

RSA enVision 3.x and 4.x before 4 SP4 P3 allows remote attackers to read arbitrary files via unspecified vectors, related to an "arbitrary file retrieval vulnerability."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
rsa envision 3.7.0
rsa envision *
rsa envision 3.5.0
rsa envision 3.5.1
rsa envision 4.0
rsa envision 3.5.2
rsa envision 3.3.6_build_0115
CVE-2011-4141 HIGH

Untrusted search path vulnerability in EMC RSA SecurID Software Token 4.1 before 4.1.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a Software Token file.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa securid 4.1
rsa securid 4.1.0.545
CVE-2011-4143 MEDIUM

EMC RSA enVision 4.0 before SP4 P5 and 4.1 before P3 allows remote attackers to obtain sensitive information about environment variables in the web system via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
rsa envision 4.1
rsa envision 4.0
CVE-2012-0397 HIGH

Buffer overflow in EMC RSA SecurID Software Token Converter before 2.6.1 allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
rsa securid_software_token_converter *
CVE-2012-0399 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA enVision 4.x before 4.1 Patch 4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa envision 4.1
rsa envision 4.0
CVE-2012-0400 HIGH

EMC RSA enVision 4.x before 4.1 Patch 4 does not properly restrict the number of failed authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
rsa envision 4.1
rsa envision 4.0
CVE-2012-0401 MEDIUM

Multiple SQL injection vulnerabilities in EMC RSA enVision 4.x before 4.1 Patch 4 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
rsa envision 4.1
rsa envision 4.0
CVE-2012-0402 HIGH

EMC RSA enVision 4.x before 4.1 Patch 4 uses unspecified hardcoded credentials, which makes it easier for remote attackers to obtain access via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-255,

Products Affected

Vendor Product Version
rsa envision 4.1
rsa envision 4.0
CVE-2012-0403 MEDIUM

Directory traversal vulnerability in EMC RSA enVision 4.x before 4.1 Patch 4 allows remote authenticated users to have an unspecified impact via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
rsa envision 4.1
rsa envision 4.0
CVE-2012-2278 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the (1) Self-Service Console and (2) Security Console in EMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appliance 3.0 before SP4 P14 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa authentication_manager 7.1
emc rsa_authentication_manager 7.1
emc rsa_authentication_manager 7.0
rsa securid_appliance 2.0
emc rsa_authentication_manager *
rsa securid_appliance 2.0.2
rsa securid_appliance 3.0
rsa securid_appliance 2.0.1
CVE-2012-2279 MEDIUM

Open redirect vulnerability in the Security Console in EMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appliance 3.0 before SP4 P14 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
rsa authentication_manager 7.1
emc rsa_authentication_manager 7.1
emc rsa_authentication_manager 7.0
rsa securid_appliance 2.0
emc rsa_authentication_manager *
rsa securid_appliance 2.0.2
rsa securid_appliance 3.0
rsa securid_appliance 2.0.1
CVE-2012-2280 MEDIUM

EMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appliance 3.0 before SP4 P14 do not properly use frames, which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "Cross frame scripting vulnerability."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa authentication_manager 7.1
emc rsa_authentication_manager 7.1
emc rsa_authentication_manager 7.0
rsa securid_appliance 2.0
emc rsa_authentication_manager *
rsa securid_appliance 2.0.2
rsa securid_appliance 3.0
rsa securid_appliance 2.0.1
CVE-2012-2281 MEDIUM

EMC RSA Access Manager Server 6.x before 6.1 SP4 and RSA Access Manager Agent do not properly validate session tokens after a logout, which might allow remote attackers to conduct replay attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
rsa access_manager_server 6.1
rsa access_manager_server 6.0
rsa access_manager_agent *
CVE-2013-0931 MEDIUM

EMC RSA Authentication Agent 7.1.x before 7.1.2 on Windows does not enforce the Quick PIN Unlock timeout feature, which allows physically proximate attackers to bypass the passcode requirement for a screensaved session by entering a PIN after timeout expiration.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-16,

Products Affected

Vendor Product Version
rsa authentication_agent_for_windows 7.1.1
rsa authentication_agent_for_windows 7.1
CVE-2013-0941 LOW

EMC RSA Authentication API before 8.1 SP1, RSA Web Agent before 5.3.5 for Apache Web Server, RSA Web Agent before 5.3.5 for IIS, RSA PAM Agent before 7.0, and RSA Agent before 6.1.4 for Microsoft Windows use an improper encryption algorithm and a weak key for maintaining the stored data of the node secret for the SecurID Authentication API, which allows local users to obtain sensitive information via cryptographic attacks on this data.

CVSS 2.0

Severity: LOW

Problem Type: CWE-310,

Products Affected

Vendor Product Version
rsa authentication_api *
rsa securid_web_agent *
rsa authentication_agent *
rsa pluggable_authentication_module_agent *
CVE-2013-0947 LOW

EMC RSA Authentication Manager 8.0 before P1 allows local users to discover cleartext operating-system passwords, HTTP plug-in proxy passwords, and SNMP communities by reading a (1) log file or (2) configuration file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
rsa authentication_manager 8.0
CVE-2013-3273 LOW

EMC RSA Authentication Manager 8.0 before P2 and 7.1 before SP4 P26, as used in Appliance 3.0, does not omit the cleartext administrative password from trace logging in custom SDK applications, which allows local users to obtain sensitive information by reading the trace log file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
rsa authentication_manager 7.1
emc rsa_authentication_manager 7.1
rsa authentication_manager 8.0
emc rsa_authentication_manager 8.0
CVE-2014-4627 MEDIUM

SQL injection vulnerability in EMC RSA Web Threat Detection 4.x before 4.6.1.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
rsa web_threat_detection *
CVE-2015-0541 MEDIUM

Cross-site request forgery (CSRF) vulnerability in EMC RSA Web Threat Detection before 5.1 allows remote attackers to hijack the authentication of arbitrary users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
rsa web_threat_detection *
CVE-2015-4547 MEDIUM

EMC RSA Web Threat Detection before 5.1 SP1 stores a cleartext AnnoDB password in a configuration file, which allows remote authenticated users to obtain sensitive information by reading this file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
rsa web_threat_detection *
CVE-2015-4548 HIGH

EMC RSA Web Threat Detection before 5.1 SP1 allows local users to obtain root privileges by leveraging access to a service account and writing commands to a service configuration file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
rsa web_threat_detection *
CVE-2015-6851 HIGH

EMC RSA SecurID Web Agent before 8.0 allows physically proximate attackers to bypass the privacy-screen protection mechanism by leveraging an unattended workstation and running DOM Inspector.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
rsa securid_web_agent *
CVE-2016-0919 MEDIUM

EMC RSA Web Threat Detection version 5.0, RSA Web Threat Detection version 5.1, RSA Web Threat Detection version 5.1.2 has a cross site scripting vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa web_threat_detection 5.0
rsa web_threat_detection 5.1
rsa web_threat_detection 5.1.2
CVE-2017-14369 MEDIUM

RSA Archer GRC Platform prior to 6.2.0.5 is affected by a privilege escalation vulnerability. A low privileged RSA Archer user may potentially exploit this vulnerability to elevate their privileges and export certain application records.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rsa archer_grc_platform *
CVE-2017-14370 LOW

RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-site scripting via the Source Asset ID field. An authenticated attacker may potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa archer_grc_platform *
CVE-2017-14371 MEDIUM

RSA Archer GRC Platform prior to 6.2.0.5 is affected by reflected cross-site scripting via the request URL. Attackers could potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa archer_grc_platform *
CVE-2017-14372 MEDIUM

RSA Archer GRC Platform prior to 6.2.0.5 is affected by reflected cross-site scripting vulnerabilities via certain RSA Archer Help pages. Attackers could potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa archer_grc_platform *
CVE-2017-14377 HIGH

EMC RSA Authentication Agent for Web: Apache Web Server version 8.0 and RSA Authentication Agent for Web: Apache Web Server version 8.0.1 prior to Build 618 have a security vulnerability that could potentially lead to authentication bypass.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
rsa authentication_agent_for_web 8.0
rsa authentication_agent_for_web 8.0.1
CVE-2017-4978 LOW

EMC RSA Adaptive Authentication (On-Premise) versions prior to 7.3 P2 (exclusive) contains a fix for a cross-site scripting vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa adaptive_authentication_(on_premise) *
CVE-2017-5003 MEDIUM

EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2 (all patch levels); RSA Via Lifecycle and Governance version 7.0 (all patch levels); and RSA Identity Management and Governance (IMG) version 6.9.1 (all patch levels) have Reflected Cross Site Scripting vulnerabilities that could potentially be exploited by malicious users to compromise an affected system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance 6.9.1
emc rsa_identity_governance_and_lifecycle 7.0.2
emc rsa_identity_governance_and_lifecycle 7.0.1
rsa rsa_via_lifecycle_and_governance 7.0
CVE-2017-5004 LOW

EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2 (all patch levels); RSA Via Lifecycle and Governance version 7.0 (all patch levels); and RSA Identity Management and Governance (IMG) version 6.9.1 (all patch levels) have Stored Cross Site Scripting vulnerabilities that could potentially be exploited by malicious users to compromise an affected system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance 6.9.1
emc rsa_identity_governance_and_lifecycle 7.0.2
emc rsa_identity_governance_and_lifecycle 7.0.1
rsa rsa_via_lifecycle_and_governance 7.0
CVE-2017-8004 MEDIUM

The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products (RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels; RSA Via Lifecycle and Governance version 7.0, all patch levels; RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels) allow an application administrator to upload arbitrary files that may potentially contain a malicious code. The malicious file could be then executed on the affected system with the privileges of the user the application is running under.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance 6.9.1.10
emc rsa_identity_management_and_governance 6.9.1.23
emc rsa_identity_management_and_governance 6.9.1.6
rsa rsa_via_lifecycle_and_governance 7.0.0.1
emc rsa_identity_management_and_governance 6.9.1.18
emc rsa_identity_governance_and_lifecycle 7.0.1.2
emc rsa_identity_management_and_governance 6.9.1.2
emc rsa_identity_governance_and_lifecycle 7.0.2
rsa rsa_via_lifecycle_and_governance 7.0.0.3
rsa rsa_via_lifecycle_and_governance 7.0.0.4
emc rsa_identity_governance_and_lifecycle 7.0.1.1
emc rsa_identity_management_and_governance 6.9.1.8
emc rsa_identity_governance_and_lifecycle 7.0.2.1
emc rsa_identity_management_and_governance 6.9.1.13
rsa rsa_via_lifecycle_and_governance 7.0
emc rsa_identity_management_and_governance 6.9.1
emc rsa_identity_management_and_governance 6.9.1.3
emc rsa_identity_management_and_governance 6.9.1.22
emc rsa_identity_management_and_governance 6.9.1.5
emc rsa_identity_governance_and_lifecycle 7.0.1.3
emc rsa_identity_management_and_governance 6.9.1.16
emc rsa_identity_management_and_governance 6.9.1.14
emc rsa_identity_management_and_governance 6.9.1.24
emc rsa_identity_management_and_governance 6.9.1.1
emc rsa_identity_management_and_governance 6.9.1.19
emc rsa_identity_management_and_governance 6.9.1.15
emc rsa_identity_governance_and_lifecycle 7.0.1
emc rsa_identity_management_and_governance 6.9.1.7
emc rsa_identity_management_and_governance 6.9.1.11
emc rsa_identity_management_and_governance 6.9.1.20
emc rsa_identity_management_and_governance 6.9.1.4
emc rsa_identity_management_and_governance 6.9.1.17
emc rsa_identity_management_and_governance 6.9.1.21
rsa rsa_via_lifecycle_and_governance 7.0.0.5
emc rsa_identity_management_and_governance 6.9.1.9
rsa rsa_via_lifecycle_and_governance 7.0.0.2
emc rsa_identity_management_and_governance 6.9.1.12
CVE-2017-8005 LOW

The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG products (RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels; RSA Via Lifecycle and Governance version 7.0, all patch levels; RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels) are affected by multiple stored cross-site scripting vulnerabilities. Remote authenticated malicious users could potentially inject arbitrary HTML code to the application.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance 6.9.1.10
emc rsa_identity_management_and_governance 6.9.1.23
emc rsa_identity_management_and_governance 6.9.1.6
rsa rsa_via_lifecycle_and_governance 7.0.0.1
emc rsa_identity_management_and_governance 6.9.1.18
emc rsa_identity_governance_and_lifecycle 7.0.1.2
emc rsa_identity_management_and_governance 6.9.1.2
emc rsa_identity_governance_and_lifecycle 7.0.2
rsa rsa_via_lifecycle_and_governance 7.0.0.3
rsa rsa_via_lifecycle_and_governance 7.0.0.4
emc rsa_identity_governance_and_lifecycle 7.0.1.1
emc rsa_identity_management_and_governance 6.9.1.8
emc rsa_identity_governance_and_lifecycle 7.0.2.1
emc rsa_identity_management_and_governance 6.9.1.13
rsa rsa_via_lifecycle_and_governance 7.0
emc rsa_identity_management_and_governance 6.9.1
emc rsa_identity_management_and_governance 6.9.1.3
emc rsa_identity_management_and_governance 6.9.1.22
emc rsa_identity_management_and_governance 6.9.1.5
emc rsa_identity_governance_and_lifecycle 7.0.1.3
emc rsa_identity_management_and_governance 6.9.1.16
emc rsa_identity_management_and_governance 6.9.1.14
emc rsa_identity_management_and_governance 6.9.1.24
emc rsa_identity_management_and_governance 6.9.1.1
emc rsa_identity_management_and_governance 6.9.1.19
emc rsa_identity_management_and_governance 6.9.1.15
emc rsa_identity_governance_and_lifecycle 7.0.1
emc rsa_identity_management_and_governance 6.9.1.7
emc rsa_identity_management_and_governance 6.9.1.11
emc rsa_identity_management_and_governance 6.9.1.20
emc rsa_identity_management_and_governance 6.9.1.4
emc rsa_identity_management_and_governance 6.9.1.17
emc rsa_identity_management_and_governance 6.9.1.21
rsa rsa_via_lifecycle_and_governance 7.0.0.5
emc rsa_identity_management_and_governance 6.9.1.9
rsa rsa_via_lifecycle_and_governance 7.0.0.2
emc rsa_identity_management_and_governance 6.9.1.12
CVE-2018-11049 MEDIUM

RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user to run malicious code on the targeted system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance 6.9.1
emc rsa_identity_governance_and_lifecycle 7.1.0
emc rsa_identity_management_and_governance 6.9.0
rsa rsa_via_lifecycle_and_governance 7.0
CVE-2018-11059 LOW

RSA Archer, versions prior to 6.4.0.1, contain a stored cross-site scripting vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa archer *
rsa archer 6.4.0.0
CVE-2018-11060 MEDIUM

RSA Archer, versions prior to 6.4.0.1, contain an authorization bypass vulnerability in the REST API. A remote authenticated malicious Archer user could potentially exploit this vulnerability to elevate their privileges.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rsa archer *
rsa archer 6.4.0.0
CVE-2018-11065 MEDIUM

The WorkPoint component, which is embedded in all RSA Archer, versions 6.1.x, 6.2.x, 6.3.x prior to 6.3.0.7 and 6.4.x prior to 6.4.0.1, contains a SQL injection vulnerability. A malicious user could potentially exploit this vulnerability to execute SQL commands on the back-end database to read certain data. Embedded WorkPoint is upgraded to version 4.10.16, which contains a fix for the vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
rsa archer *
CVE-2018-11073 LOW

RSA Authentication Manager versions prior to 8.3 P3 contain a stored cross-site scripting vulnerability in the Operations Console. A malicious Operations Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other Operations Console administrators open the affected page, the injected scripts could potentially be executed in their browser.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa authentication_manager *
emc rsa_authentication_manager 8.3
CVE-2018-11074 MEDIUM

RSA Authentication Manager versions prior to 8.3 P3 are affected by a DOM-based cross-site scripting vulnerability which exists in its embedded MadCap Flare Help files. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to the browser DOM, which code is then executed by the web browser in the context of the vulnerable web application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa authentication_manager *
emc rsa_authentication_manager 8.3
CVE-2018-11075 LOW

RSA Authentication Manager versions prior to 8.3 P3 contain a reflected cross-site scripting vulnerability in a Security Console page. A remote, unauthenticated malicious user, with the knowledge of a target user's anti-CSRF token, could potentially exploit this vulnerability by tricking a victim Security Console user to supply malicious HTML or JavaScript code to the vulnerable web application, which code is then executed by the victim's web browser in the context of the vulnerable web application.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa authentication_manager *
emc rsa_authentication_manager 8.3
CVE-2018-1182 HIGH

An issue was discovered in EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels (hardware appliance and software bundle deployments only); RSA Via Lifecycle and Governance version 7.0, all patch levels (hardware appliance and software bundle deployments only); RSA Identity Management & Governance (RSA IMG) versions 6.9.0, 6.9.1, all patch levels (hardware appliance and software bundle deployments only). It allows certain OS level users to execute arbitrary scripts with root level privileges.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance 6.9.1
emc rsa_identity_governance_and_lifecycle 7.0.2
emc rsa_identity_management_and_governance 6.9.0
emc rsa_identity_governance_and_lifecycle 7.0.1
rsa rsa_via_lifecycle_and_governance 7.0
CVE-2018-1232 MEDIUM

RSA Authentication Agent version 8.0.1 and earlier for Web for both IIS and Apache Web Server are impacted by a stack-based buffer overflow which may occur when handling certain malicious web cookies that have invalid formats. The attacker could exploit this vulnerability to crash the authentication agent and cause a denial-of-service situation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
rsa authentication_agent_for_web *
CVE-2018-1233 MEDIUM

RSA Authentication Agent version 8.0.1 and earlier for Web for both IIS and Apache Web Server are affected by a cross-site scripting vulnerability. The attackers could potentially exploit this vulnerability to execute arbitrary HTML or JavaScript code in the user's browser session in the context of the affected website.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa authentication_agent_for_web *
CVE-2018-1234 LOW

RSA Authentication Agent version 8.0.1 and earlier for Web for IIS is affected by a problem where access control list (ACL) permissions on a Windows Named Pipe were not sufficient to prevent access by unauthorized users. The attacker with local access to the system can exploit this vulnerability to read configuration properties for the authentication agent.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
rsa authentication_agent_for_web *
CVE-2018-1247 MEDIUM

RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via injecting a maliciously crafted DTD in an XML file submitted to the application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
rsa authentication_manager *
CVE-2018-1248 MEDIUM

RSA Authentication Manager Security Console, Operation Console and Self-Service Console, version 8.3 and earlier, is affected by a Host header injection vulnerability. This could allow a remote attacker to potentially poison HTTP cache and subsequently redirect users to arbitrary web domains.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
rsa authentication_manager *
CVE-2018-1252 MEDIUM

RSA Web Threat Detection versions prior to 6.4, contain an SQL injection vulnerability in the Administration and Forensics applications. An authenticated malicious user with low privileges could potentially exploit this vulnerability to execute SQL commands on the back-end database to gain unauthorized access to the tool's monitoring and user information by supplying specially crafted input data to the affected application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
rsa web_threat_detection *
CVE-2018-15780 MEDIUM

RSA Archer versions prior to 6.5.0.1 contain an improper access control vulnerability. A remote malicious user could potentially exploit this vulnerability to bypass authorization checks and gain read access to restricted user information.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rsa archer_grc_platform *
CVE-2018-15782 HIGH

The Quick Setup component of RSA Authentication Manager versions prior to 8.4 is vulnerable to a relative path traversal vulnerability. A local attacker could potentially provide an administrator with a crafted license that if used during the quick setup deployment of the initial RSA Authentication Manager system, could allow the attacker unauthorized access to that system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
rsa authentication_manager *
CVE-2019-18574 LOW

RSA Authentication Manager software versions prior to 8.4 P8 contain a stored cross-site scripting vulnerability in the Security Console. A malicious Security Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface which could then be included in a report. When other Security Console administrators open the affected report, the injected scripts could potentially be executed in their browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager 8.4
rsa authentication_manager *
CVE-2019-3711 MEDIUM

RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A malicious Operations Console administrator may be able to obtain the value of a domain password that another Operations Console administrator had set previously and use it for attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc rsa_authentication_manager 8.4
rsa authentication_manager *
CVE-2019-3715 LOW

RSA Archer versions, prior to 6.5 SP1, contain an information exposure vulnerability. Users' session information is logged in plain text in the RSA Archer log files. An authenticated malicious local user with access to the log files may obtain the exposed information to use it in further attacks.

CVSS 2.0

Severity: LOW

Problem Type: CWE-532,

Products Affected

Vendor Product Version
rsa archer_grc_platform 6.5
rsa archer_grc_platform *
CVE-2019-3716 LOW

RSA Archer versions, prior to 6.5 SP2, contain an information exposure vulnerability. The database connection password may get logged in plain text in the RSA Archer log files. An authenticated malicious local user with access to the log files may obtain the exposed password to use it in further attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: LOW

Problem Type: CWE-532,

Products Affected

Vendor Product Version
rsa archer_grc_platform *
CVE-2019-3724 MEDIUM

RSA Netwitness Platform versions prior to 11.2.1.1 is vulnerable to an Authorization Bypass vulnerability. A remote low privileged attacker could potentially exploit this vulnerability to gain access to administrative information including credentials.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rsa security_analytics *
rsa netwitness_platform *
CVE-2019-3725 HIGH

RSA Netwitness Platform versions prior to 11.2.1.1 and RSA Security Analytics versions prior to 10.6.6.1 are vulnerable to a Command Injection vulnerability due to missing input validation in the product. A remote unauthenticated malicious user could exploit this vulnerability to execute arbitrary commands on the server.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
rsa security_analytics *
rsa netwitness *
CVE-2019-3756 MEDIUM

RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,CWE-200,

Products Affected

Vendor Product Version
rsa archer *
CVE-2019-3758 HIGH

RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-288,CWE-521,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-26884 MEDIUM

RSA Archer 6.8 through 6.8.0.3 and 6.9 contains a URL injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability by tricking a victim application user into executing malicious JavaScript code in the context of the web application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
rsa archer *
rsa archer 6.9
CVE-2020-29535 LOW

Archer before 6.8 P4 (6.8.0.4) contains a stored XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
cve@mitre.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-29536 MEDIUM

Archer before 6.8 P2 (6.8.0.2) is affected by a path exposure vulnerability. A remote authenticated malicious attacker with access to service files may obtain sensitive information to use it in further attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-29537 MEDIUM

Archer before 6.8 P2 (6.8.0.2) is affected by an open redirect vulnerability. A remote privileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims' credentials and silently authenticate them to the Archer application without the victims realizing an attack occurred.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-29538 MEDIUM

Archer before 6.9 P1 (6.9.0.1) contains an improper access control vulnerability in an API. A remote authenticated malicious administrative user can potentially exploit this vulnerability to gather information about the system, and may use this information in subsequent attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6
cve@mitre.org 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-5331 LOW

RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an information exposure vulnerability. Users’ session information could potentially be stored in cache or log files. An authenticated malicious local user with access to the log files may obtain the exposed information to use it in further attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
security_alert@emc.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: LOW

Problem Type: CWE-598,CWE-200,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-5332 HIGH

RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain a command injection vulnerability. AN authenticated malicious user with administrator privileges could potentially exploit this vulnerability to execute arbitrary commands on the system where the vulnerable application is deployed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security_alert@emc.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-5333 MEDIUM

RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorization bypass vulnerability in the REST API. A remote authenticated malicious Archer user could potentially exploit this vulnerability to view unauthorized information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,CWE-863,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-5334 MEDIUM

RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contains a Document Object Model (DOM) based cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to DOM environment in the browser. The malicious code is then executed by the web browser in the context of the vulnerable web application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security_alert@emc.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L 2.3 5.3

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-5335 MEDIUM

RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contain a cross-site request forgery vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to send arbitrary requests to the vulnerable application to perform server operations with the privileges of the authenticated victim user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
security_alert@emc.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N 3.1 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-5336 MEDIUM

RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL injection vulnerability. An unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to execute malicious JavaScript code on the affected system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security_alert@emc.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-74,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-5337 MEDIUM

RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security_alert@emc.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,CWE-601,

Products Affected

Vendor Product Version
rsa archer *
CVE-2020-5384 HIGH

Authentication Bypass Vulnerability RSA MFA Agent 2.0 for Microsoft Windows contains an Authentication Bypass vulnerability. A local unauthenticated attacker could potentially exploit this vulnerability by using an alternate path to bypass authentication in order to gain full access to the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security_alert@emc.com 8.4 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.5 5.9
nvd@nist.gov 8.4 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.5 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-288,CWE-287,

Products Affected

Vendor Product Version
rsa multifactor_authentication_agent 2.0
CVE-2021-29252 LOW

RSA Archer before 6.9 SP1 P1 (6.9.1.1) contains a stored XSS vulnerability. A remote authenticated malicious Archer user with access to modify link name fields could potentially exploit this vulnerability to execute code in a victim's browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
cve@mitre.org 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa archer *
CVE-2021-29253 LOW

The Tableau integration in RSA Archer 6.4 P1 (6.4.0.1) through 6.9 P2 (6.9.0.2) is affected by an insecure credential storage vulnerability. An malicious attacker with access to the Tableau workbook file may obtain access to credential information to use it in further attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
cve@mitre.org 5.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 1.4 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,

Products Affected

Vendor Product Version
rsa archer *
CVE-2021-33615 HIGH

RSA Archer 6.8.00500.1003 P5 allows Unrestricted Upload of a File with a Dangerous Type.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
rsa archer *
CVE-2021-33616 LOW

RSA Archer 6.x through 6.9 SP1 P4 (6.9.1.4) allows stored XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa archer *
CVE-2021-38362 MEDIUM

In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-639,

Products Affected

Vendor Product Version
rsa archer *
CVE-2021-41594 MEDIUM

In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. If the parameters of this request are replaced with empty fields, the attacker achieves access to the precluded functions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-26947 LOW

Archer 6.x through 6.9 SP3 (6.9.3.0) contains a reflected XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and gets executed by the web browser in the context of the vulnerable web application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N 2.1 4.2
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-26948 MEDIUM

The Archer RSS feed integration for Archer 6.x through 6.9 SP1 (6.9.1.0) is affected by an insecure credential storage vulnerability. A malicious attacker may obtain access to credential information to use it in further attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.8 MEDIUM CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:H 0.3 5.5
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-26949 MEDIUM

Archer 6.x through 6.9 SP2 P1 (6.9.2.1) contains an improper access control vulnerability on attachments. A remote authenticated malicious user could potentially exploit this vulnerability to gain access to files that should only be allowed by extra privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-26950 MEDIUM

Archer 6.x through 6.9 P2 (6.9.0.2) is affected by an open redirect vulnerability. A remote unprivileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims' credentials and silently authenticate them to the Archer application without the victims realizing an attack occurred.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-26951 MEDIUM

Archer 6.x through 6.10 (6.10.0.0) contains a reflected XSS vulnerability. A remote SAML-unauthenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and gets executed by the web browser in the context of the vulnerable web application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-30584 HIGH

Archer Platform 6.3 before 6.11 (6.11.0.0) contains an Improper Access Control Vulnerability within SSO ADFS functionality that could potentially be exploited by malicious users to compromise the affected system. 6.10 P3 (6.10.0.3) and 6.9 SP3 P4 (6.9.3.4) are also fixed releases.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
cve@mitre.org 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-30585 MEDIUM

The REST API in Archer Platform 6.x before 6.11 (6.11.0.0) contains an Authorization Bypass Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information. 6.10 P3 (6.10.0.3) and 6.9 SP3 P4 (6.9.3.4) are also fixed releases.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-37316

Archer Platform 6.8 before 6.11 P3 (6.11.0.3) contains an improper API access control vulnerability in a multi-instance system that could potentially present unauthorized metadata to an authenticated user of the affected system. 6.10 P3 HF1 (6.10.0.3.1) is also a fixed release.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
cve@mitre.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-37317

Archer Platform 6.x before 6.11 P3 contain an HTML injection vulnerability. An authenticated remote attacker could potentially exploit this vulnerability by tricking a victim application user to execute malicious code in the context of the web application. 6.10 P4 (6.10.0.4) and 6.11 P2 HF4 (6.11.0.2.4) are also fixed releases.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
cve@mitre.org 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-37318

Archer Platform 6.9 SP2 P2 before 6.11 P3 (6.11.0.3) contain a reflected XSS vulnerability. A remote unauthenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious JavaScript code to the vulnerable web application. This code is then reflected to the victim and gets executed by the web browser in the context of the vulnerable web application. 6.10 P4 (6.10.0.4) and 6.11 P2 HF4 (6.11.0.2.4) are also fixed releases.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.0 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L 2.2 4.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
rsa archer *
CVE-2022-47529

Insecure Win32 memory objects in Endpoint Windows Agents in RSA NetWitness Platform before 12.2 allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
rsa netwitness *
CVE-2024-47856

In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks. An adversary can place an executable in a higher-level directory of the path, and Windows will resolve that executable instead of the intended executable.

Products Affected

Vendor Product Version
rsa authentication_agent_for_windows *