What's the issue?
It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability.
CVE-2021-42856
Severity: Medium
Versions Affected: <11.8.8, 12.x<12.13, 10.x
Reflected Cross-site Scripting at DsaDataTest (CVE-2021-42856)
Description
Solution
Mitigation
The vulnerability has been fixed in AppInternals Agent GA versions 11.8.8 and 12.14.0 and later. They are available for download in the Aternity Support portal.
Credit
Discovered by GovTech Security Team (Darrel Huang, Bjorn Lim, Leng Kang Hao).
The vulnerability has been fixed in AppInternals Agent GA versions 11.8.8 and 12.14.0 and later. They are available for download in the Aternity Support portal.
Credit
Discovered by GovTech Security Team (Darrel Huang, Bjorn Lim, Leng Kang Hao).
Environment
SteelCentral AppInternals Dynamic Sampling Agent
Related Bugs
Attachments
Related Files
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case