Sec-1 Advisory: Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4

Sec-1 Security Advisory
Severity : Medium
Advisory Name : Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4
Discovery Date : 23/02/2016
Release Date : 12/04/2016
Application : BES12 version 12.4 and earlier
Platform : Windows
CVE : CVE-2016-1917
Discovered by : Nicodemo Gawronski
Vendor Status : Resolved in April 2016 Blackberry Update available from
Website :

Vulnerability Summary

Reflected Cross-Site-Scripting (Reflected XSS)

Two instances of Reflected Cross-Site-Scripting were discovered on the affected software.
Cross-Site-Scripting (XSS) is a vulnerability that occurs when user entered data is accepted by the server and returned in a response to the user without proper sanitisation, which allows an attacker to embed malicious scripts within a request which is later served to another user. Reflected XSS occurs when the malicious data is immediately returned in a response to a malicious request, whereas Stored XSS occurs when the malicious data is held by the application for some time before being embedded in a response (such as being stored in a database and then retrieved at a later date).


Two parameters on the “admin/settings/” and “admin/user/” of the BES12 web server were found to be vulnerable to Reflected Cross-Site Scripting (XSS).
This would allow an attacker to launch XSS attacks against targeted users by sending them crafted links (for example, by sending a malicious link in a targeted email). The effects could, for example, include:

  • Stealing access credentials from a targeted user as that user logs in
  • Stealing an access token from a targeted user as that user logs in
  • Displaying a malicious or political message to the user

Example Payload/POC

Steps to reproduce the vulnerability:

  1. Log in to the BES12 Server.
  2. Access the following URLs:
Reflected XSS in "/admin/settings/"

Reflected XSS in “/admin/settings/”

Reflected XSS BES12 "/admin/user/"

Reflected XSS in “/admin/user/”

This is a simplistic payload which will simply display a pop up message warning the users that the page is vulnerable; however a more advanced payload could easily be generated to perform actions as discussed above.

Vendor Response

The vendor has patched the XSS issues in the April 2016 Software Update. Sec-1 would like to thank Blackberry for their prompt and professional response.

This entry was posted in Advisories. Bookmark the permalink.

Comments are closed.