The popular GRC tool, Archer GRC, used by many Infosec practitioners to manage governance details for organizations has been found to have cross-site scripting vulnerabilities that may be used to compromise the system. The issue is considered to be problematic. I echo this opinion as many organizations are storing confidential risk information in these systems.
Related Articles
There is a patch available from EMC/RSA for Archer GRC. Summary provided below as well as the full text of the alert. -- moderator
Description
Vulnerabilities have been reported in the Rsa Archer Grc 5.x platform that can be leveraged to compromise the affected system.
An unspecified input is not properly handled before being displayed to the user. This can be leveraged to display arbitrary HTML and execute script code within an end-user's web session in the context of the attacked site.
The vulnerabilities are reported in versions prior to 5.4 P2 and 5.4 SP1. According to material provided, the vulnerability is remotely exploitable but the victim must voluntarily interact with attack mechanism.
Mitigation
Apply available vendor patch. According to the release, RSA strongly recommends all customers upgrade to RSA Archer Grc 5.4 P2 or 5.4 SP1 at their earliest opportunity.
Advisory
- http://archives.neohapsis.com/archives/bugtraq/2013-12/att-0120/ESA-2013-079.txt
- CVE-2013-6178
- ESA-2013-079