Published:2011/04/08  Last Updated:2011/04/08

Password Vault Web Access vulnerable to cross-site scripting


Password Vault Web Access (PVWA) provided by Cyber-Ark Software, Ltd. contains a cross-site scripting vulnerability.

Products Affected

  • PVWA v6.0 releases v6.0 patch #2 and earlier
  • PVWA v5.5 releases v5.5 patch #4 and earlier
  • PVWA v5.0 and earlier


Password Vault Web Access (PVWA) is a module in the Privileged Identity Management Suite that allows access via a web portal. PVWA contains a cross-site scripting vulnerability.


An arbitrary script may be executed on the web browser of an user who is logged on.


Apply a patch
Apply the appropriate patch according to the information provided by the developer.

Vendor Status

Vendor Link
Cyber-Ark Privileged Identity Management Suite


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2011.04.08

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication login caused to be created by an administrator
  • Low-Mid
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity the user must be convinced to take a difficult or suspicious action. If the honest user must have elevated privileges, they are likely to be more suspiciouse
  • High

Description of each analysis measures


Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2011-0459
JVN iPedia JVNDB-2011-000023