CVE-2010-4322

Vulnerability

A cross-site scripting (XSS) vulnerability exists in gwtTeaming.rpc within Novell Vibe OnPrem 3 BETA. The flaw allows remote authenticated users to inject arbitrary web script or HTML through the Micro Blog ("What Are You Working On?") field. The affected version is Novell Vibe OnPrem 3 BETA.

Exploitation

An attacker must be an authenticated user of the Novell Vibe platform. The attack is performed by entering crafted JavaScript or HTML into the Micro Blog field. When other users view the posted content, the malicious script executes in the context of their session. No special network access is required beyond standard web application usage.

Impact

Successful exploitation leads to cross-site scripting (XSS), which can result in session hijacking, defacement, or theft of sensitive information displayed within the application. The attacker's injected code runs under the security context of the victim user, potentially allowing actions on behalf of that user.

Mitigation

As the vulnerability was disclosed in a beta version, Novell likely addressed the issue in later stable releases. According to the advisory [1], the specific fix is not detailed. Users should upgrade to the latest supported version of Novell Vibe OnPrem. No workaround is provided in the available references. This CVE is not listed in KEV.