The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of BlackBerry UEM

vulnerability note CVE-2019-8999

BlackBerry UEM: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to BlackBerry UEM, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: BlackBerry UEM.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 18/04/2019.
Identifiers: BSRT-2019-002, CVE-2019-8999, VIGILANCE-VUL-29094.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the BlackBerry UEM parser allows external entities.

An attacker can therefore transmit malicious XML data to BlackBerry UEM, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-8888 CVE-2018-8891 CVE-2018-8892

BlackBerry UEM: three vulnerabilities via Management Console

Synthesis of the vulnerability

An attacker can use several vulnerabilities via Management Console of BlackBerry UEM.
Impacted products: BlackBerry UEM.
Severity: 2/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 19/12/2018.
Identifiers: BSRT-2018-005, CVE-2018-8888, CVE-2018-8891, CVE-2018-8892, VIGILANCE-VUL-28057.

Description of the vulnerability

An attacker can use several vulnerabilities via Management Console of BlackBerry UEM.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-8890

BlackBerry UEM: information disclosure via Management Console

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Management Console of BlackBerry UEM, in order to obtain sensitive information.
Impacted products: BlackBerry UEM.
Severity: 2/4.
Consequences: data reading.
Provenance: LAN.
Creation date: 10/10/2018.
Identifiers: BSRT 2018-004, CVE-2018-8890, VIGILANCE-VUL-27457.

Description of the vulnerability

An attacker can bypass access restrictions to data via Management Console of BlackBerry UEM, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-8889

BlackBerry Enterprise Mobility Server: directory traversal via Connect Service

Synthesis of the vulnerability

An attacker can traverse directories via Connect Service of BlackBerry Enterprise Mobility Server, in order to read a file outside the service root path.
Impacted products: BlackBerry UEM.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 19/09/2018.
Identifiers: BSRT-2018-003, CVE-2018-8889, VIGILANCE-VUL-27264.

Description of the vulnerability

An attacker can traverse directories via Connect Service of BlackBerry Enterprise Mobility Server, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-3894

BlackBerry BES/UEM: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of BlackBerry BES/UEM, in order to run JavaScript code in the context of the web site.
Impacted products: BES, BlackBerry UEM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/05/2017.
Identifiers: BSRT-2017-004, CVE-2017-3894, VIGILANCE-VUL-22699.

Description of the vulnerability

The BlackBerry BES/UEM product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of BlackBerry BES/UEM, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about BlackBerry UEM: