본문 바로가기
취약점 정보1

Cisco AsyncOS contains a reflected cross-site scripting (XSS) vulnerability

Ryansecurity 2014. 6. 11. 02:22
728x90

Overview

Cisco AsyncOS contains a reflected cross-site scripting (XSS) vulnerability.

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-3289

Cisco AsyncOS, the underlying OS for the Cisco Email Security Appliance, Web Security Appliance, and Content Security Management Appliance, contains a reflected cross-site scripting vulnerability in the reports overview page of the management interface. An attacker is able to load arbitrary script in the context of the user's browser through thedate_range parameter.

Affected Products:

  • Cisco Email Security Appliance 8.0 and earlier
  • Cisco Web Security Appliance 8.0 and earlier
  • Content Security Management Appliance 8.3 and earlier

    • Impact

    A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.

    Solution

    Apply an Update
    Cisco has released a patch to address this vulnerability. If you are unable to upgrade, please consider the following workaround.

    Restrict Access
    As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the web interface using stolen credentials from a blocked network location.

    Vendor Information (Learn More)

    VendorStatusDate NotifiedDate Updated
    Cisco Systems, Inc.Affected17 Feb 201410 Jun 2014

    If you are a vendor and your product is affected, let us know.

    CVSS Metrics (Learn More)

    GroupScoreVector
    Base4.3AV:N/AC:M/Au:N/C:N/I:P/A:N
    Temporal3.6E:F/RL:OF/RC:C
    Environmental2.7CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

    References

    Credit

    Thanks to William Costa for reporting this vulnerability.

    This document was written by Chris King.

    Other Information

    • CVE IDs: CVE-2014-3289
    • Date Public: 09 6월 2014
    • Date First Published: 10 6월 2014
    • Date Last Updated: 10 6월 2014
    • Document Revision: 15


    728x90
    저작자표시 비영리 변경금지

    '취약점 정보1' 카테고리의 다른 글

    Snake In The Grass: Python-based Malware Used For Targeted Attacks  (0) 2014.06.17
    How I discovered CCS Injection Vulnerability (CVE-2014-0224)  (0) 2014.06.11
    Unauthorized modification of UEFI variables in UEFI systems  (0) 2014.06.11
    Adobe Flash Player 업데이트 권고  (0) 2014.06.11
    SSL/TLS MITM vulnerability (CVE-2014-0224)  (0) 2014.06.06

    '취약점 정보1' Related Articles

    티스토리툴바