BlackBerry Enterprise Server Cross Frame Scripting Vulnerabilities
12 Jan. 2016
The Management Console in BlackBerry Enterprise Server (BES) 12 before 12.2 does not properly restrict use of FRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site, related to a "cross frame scripting" issue.
* BlackBerry Enterprise Server (BES) 12 before 12.2
* BlackBerry Enterprise Server (BES) 12 after 12.2
This advisory addresses a cross frame scripting vulnerability that is not currently being exploited but affects BES12 customers. BlackBerry customer risk is limited by the requirement that a potential attacker possess knowledge of the internal network and by the inability of an attacker to force exploitation of the vulnerability without customer interaction. Successful exploitation requires an attacker to craft a malicious web page using a URL that successfully masks the malicious site and requires that a user with Management Console access click on the malicious link. If the requirements are met for exploitation, an attacker could potentially monitor or modify the user's actions. After installing the recommended software update, affected customers will be fully protected from this vulnerability.