Security Bulletin 2014-1

A small number of vulnerabilities exist in Sequence Kinetics V7.5.  Please upgrade to V7.7 to address these issues.

Details

 

1)

CVE ID:

CVE-2014-6301

 

Description:

Some URL’s in Sequence 7.5 tables management module were found vulnerable to Reflected Cross Site scripting.

 

Identified in version:

7.5

 

Addressed in version:

7.7

 

Fix details:

Input is been validated as strictly as possible on arrival, given the kind of content which it is expected to contain.  Input is HTML-encoded at any point where it is copied into application responses

2)

CVE ID:

CVE-2014-6302

 

Description:

Sequence 7.5 Monitoring Administration pages were identify with XML external entity injection vulnerability.

 

Identified in version:

7.5

 

Addressed in version:

7.7

 

Fix details:

Added code layer to prevent this vulnerability. XML specifications will not allow XML documents to define entities that reference other entities defined within the document.

3)

CVE ID:

CVE-2014-6303

 

Description:

Sequence 7.5 Monitoring Administration pages were identify with XML entity expansion vulnerability.

 

Identified in version:

7.5

 

Addressed in version:

7.7

 

Fix details:

Added code layer to prevent this vulnerability. XML specifications will not allow XML documents to define entities which reference external resources to the document. XML parsers will not support this feature by default.

4)

CVE ID:

CVE-2014-6304

 

Description:

Sequence 7.5 Form Controls CSS file was identify with source code disclosure vulnerability.

 

Identified in version:

7.5

 

Addressed in version:

7.7

 

Fix details:

Changed CSS file, removed any server side tag.

 

Acknowledgement:           These vulnerabilities were reported by Giuseppe Diego Gianni of NCIA/NCIRC.