CVE-2017-14370 in RSA Archer GRC
Summary
by MITRE
RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-site scripting via the Source Asset ID field. An authenticated attacker may potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/03/2023
The RSA Archer GRC Platform version 6.2.0.4 and earlier contains a critical stored cross-site scripting vulnerability that exposes organizations to significant security risks. This vulnerability resides within the Source Asset ID field of the application's data handling mechanisms, creating a persistent threat vector that can be exploited by authenticated attackers with minimal privileges. The flaw represents a direct violation of web application security principles and demonstrates a failure in proper input sanitization and output encoding within the platform's user interface components.
The technical implementation of this vulnerability stems from inadequate validation and sanitization of user-supplied data within the Source Asset ID field. When an authenticated user submits malicious input containing HTML or JavaScript code, the application fails to properly escape or encode this content before storing it in the database. Subsequently, when other users view the affected records, the malicious payload executes within their browser sessions, leveraging the trusted context of the RSA Archer application. This stored XSS flaw operates at the application layer and can be classified under CWE-79 as a failure to sanitize user input before incorporating it into dynamically generated web pages. The vulnerability's impact is amplified by the fact that it requires only authentication, making it accessible to users with legitimate access rights who may be compromised or malicious in intent.
The operational consequences of this vulnerability extend beyond simple script execution, as it enables attackers to potentially escalate privileges, steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. An attacker could craft a payload that steals authentication tokens, allowing them to maintain persistent access to the platform without requiring additional credentials. The vulnerability affects the integrity of the application's user interface and can compromise the confidentiality of sensitive data processed within the RSA Archer environment. Organizations utilizing this platform face increased risk of data breaches, unauthorized access to governance, risk, and compliance information, and potential disruption of business processes that depend on the platform's secure operation.
Mitigation strategies for this vulnerability should include immediate implementation of the vendor-provided patch version 6.2.0.5 which addresses the input validation issues within the Source Asset ID field. Organizations should also implement additional defensive measures such as input validation at multiple layers, including client-side and server-side sanitization, proper output encoding for all dynamic content, and regular security assessments of user input fields. Network-level protections such as web application firewalls can provide additional defense-in-depth, though they should not replace proper application-level fixes. Security monitoring should be enhanced to detect anomalous input patterns, and user access controls should be reviewed to ensure least privilege principles are maintained. This vulnerability aligns with ATT&CK technique T1059.001 for command and scripting interpreter and T1566.001 for credential harvesting through phishing, making comprehensive security awareness training essential for personnel who interact with the platform. The remediation process should also include thorough testing to ensure the patch does not introduce regressions in platform functionality while maintaining the integrity of legitimate business processes that depend on the affected fields.