lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Jun 2014 16:47:14 -0300 From: William Costa <william.costa@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Cisco AsyncOS Cross-Site Scripting Vulnerability CVE-2014-3289 I. VULNERABILITY ------------------------- Reflected XSS Attacks vulnerabilities in Cisco Ironport Email Security Virtual Appliance Version: 8.0.0-671 II. BACKGROUND ------------------------- Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, that designs, manufactures, and sells networking equipment. III. DESCRIPTION ------------------------- Has been detected a Reflected XSS vulnerability in Cisco Ironport Email Security Virtual appliance. The code injection is done through the parameter "date_range" in the page “ /monitor/reports/overview?printable=False&date_range” IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter “date_range” correctly. https://ip_cisco_web_security/monitor/reports/overview?printabl e=False&date_range=aaaa<script>alert(2)</script> V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. VI. SYSTEMS AFFECTED ------------------------- Reflected XSS Attacks vulnerabilities in Cisco Ironport Email Security Virtual Appliance Version: 8.0.0-671. VII. SOLUTION ------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289 By William Costa william.costa@...il.com _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists