XSS Vulnerability (2017)

An XSS vulnerability impacting the KEMP LoadMaster family of products tracked under KEMP reference number PD-8290 allowed non-authenticated users to inject Javascript code which would allow for the creation of administrative users under certain circumstances. This was resolved in the 7.2.37 version of the LoadMaster Operating System (LMOS), released in February 2017.

The resolution addressed an issue that allowed browsers to execute JavaScript from warning logs. The resolution was implemented by having logs sanitized before they are displayed to ensure that scripts are not displayed and are inoperative. This fix was also backported to our 7.1.35 long term support branch.  LoadMaster release 7.2.37 and later, as well as the Long-Term Support Release of 7.1.35.2 and later include the fix. In order to mitigate this vulnerability, customers are advised to migrate to one of the aforementioned versions.

The latest GA version of LoadMaster and Long-Term Support releases can be accessed at https://support.kemptechnologies.com/hc/en-us/categories/200141477-Downloads.  Please contact KEMP Support for any further questions and support with migration related activities by submitting a request at https://support.kemptechnologies.com/hc/en-us/requests/new.

Was this article helpful?

0 out of 0 found this helpful

Comments