SAINT Security Advisory #15

Date: July 17, 2020
Affected Software: SAINT Security Suite 8.0 through 9.8.20
Severity: medium
Advisory URL: https://download.saintcorporation.com/products/saint_advisory15.txt
CVE: CVE-2020-16275, CVE-2020-16276, CVE-2020-16277, CVE-2020-16278

IMPACT

A remote authenticated SAINT user could execute arbitrary SQL commands.

A remote attacker who is able to trick an authenticated SAINT user into
clicking on a malicious link could run arbitrary script in the security
context of the authenticated user.

PROBLEM DESCRIPTION

Two SQL injection and two cross-site scripting vulnerabilities exist
in the SAINT web interface.

As of the date of this advisory, there has been no indication that these
vulnerabilities have been publicized or exploited in the wild.

MITIGATING FACTORS

An attacker would need an account on the SAINT system in order to exploit
the SQL injection vulnerabilities.

An authenticated SAINT user would need to click on a malicious link
or button provided by an attacker in order for the cross-site scripting
vulnerabilities to be exploited.

RESOLUTION

Upgrade to SAINT 9.8.21 or higher.

If SAINTexpress updates are enabled, simply restart the manager to upgrade.

ACKNOWLEDGEMENTS

Thanks to Aditya Vyawahare for reporting the first SQL injection vulnerability.

CONTACT INFORMATION

For more information about this advisory, please
contact SAINT technical support at https://support.saintcorporation.com.

Copyright 2020  SAINT Corporation.