Silent security alert – RSA archer (CVE-2018-11059 & CVE-2018-11060)

Archer Technologies provided enterprise governance, risk, and compliance management software. The product aim to reduce enterprise risks, manage and demonstrate compliance, automate business processes, and gain visibility into corporate risk and security controls. Whereby, it integrate with your internal systems equivalent as workflow management especially approval process.

REST API  relies on a stateless, client-server, cacheable communications protocol. The HTTP protocol is use in default.

Recent found vulnerabilities (CVE-2018-11059 and CVE-2018-11060) coincident working together jeopardizing your risk management and cyber security defense. A possible scenario may happens in this way. RSA Archer, versions prior to, contain a stored cross-site scripting vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. Then hacker exploit CVE-2018-11060 to to elevate his privileges.

Reference hyperlink shown as below: