CVE-2019-3480

Vulnerability

ArcSight Logger versions prior to 6.7 contain a stored and reflected cross-site scripting (XSS) vulnerability [1]. The issue exists in the web interface input handling, where user-supplied data is not properly sanitized before being stored or reflected in HTTP responses [1]. All versions from 5.0 through 6.6 and 6.61 are affected [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious payload (e.g., JavaScript) and submitting it through the affected input fields [1]. The payload can be stored in the application (stored XSS) or reflected immediately in the response (reflected XSS) [1]. The attacker does not need elevated privileges to submit the payload, but user interaction (e.g., viewing the malicious page) is required for the stored variant to execute in the context of another user's session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the victim's browser session [1]. This can lead to session hijacking, defacement, or theft of sensitive information displayed in the application. The XSS can be stored, affecting all users who view the compromised page, or reflected, affecting only the targeted user [1].

Mitigation

Micro Fixed released ArcSight Logger version 6.7 to fix this vulnerability [1]. Users should upgrade to 6.7 or later. As a workaround, administrators can restrict network access to the Logger web interface and apply proper input validation and output encoding. The vulnerability is not listed in the KEV catalog as of the last update.