Symantec Messaging Gateway 10.x < 10.5.2 Management Console XSS (SYM14-006)

medium Nessus Plugin ID 73690

Synopsis

A messaging security application running on the remote host has a cross-site scripting vulnerability.

Description

According to its self-reported version number, the version of Symantec Messaging Gateway running on the remote host is 10.x less than 10.5.2, and is therefore affected by a cross-site scripting vulnerability.

A cross-site scripting flaw exists in the 'brightmail/setting/compliance/DlpConnectFlow$view.flo' within the management console. The flaw could allow a context-dependent attacker, with a specially crafted request, to execute arbitrary script code within the browser and server trust relationship.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Symantec Messaging Gateway 10.5.2 or later.

See Also

http://www.nessus.org/u?a25abec9

https://seclists.org/fulldisclosure/2014/Apr/256

Plugin Details

Severity: Medium

ID: 73690

File Name: symantec_messaging_gateway_sym14-006.nasl

Version: 1.11

Type: remote

Published: 4/24/2014

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2014-1648

Vulnerability Information

CPE: cpe:/a:symantec:messaging_gateway

Required KB Items: www/sym_msg_gateway

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 4/22/2014

Vulnerability Publication Date: 4/22/2014

Reference Information

CVE: CVE-2014-1648

BID: 66966

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990