Check CVE Id
Check CWE Id
Blue Coat Advanced Secure Gateway 6.6, CacheFlow 3.4, ProxySG 6.5 and 6.6 allows remote attackers to bypass blocked requests, user authentication, and payload scanning.
Open redirect vulnerability in Blue Coat ProxySG 6.5 before 18.104.22.168 and 6.6 and Advanced Secure Gateway (ASG) 6.6 might allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a base64-encoded URL in conjunction with a "clear text" one in a coaching page, as demonstrated by "http://www.%humbug-URL%.local/bluecoat-splash-API?%BASE64-URL%."
The default configuration of SGOS in Blue Coat ProxySG before 22.214.171.124, 6.5 before 126.96.36.199, and 6.6 before 188.8.131.52 forwards authentication challenges from upstream origin content servers (OCS) when used in an explicit proxy deployment, which makes it easier for remote attackers to obtain sensitive information via a 407 (aka Proxy Authentication Required) HTTP status code, as demonstrated when using NTLM authentication.
Stack-based buffer overflow in the BCAAA component before build 60258, as used by Blue Coat ProxySG 4.2.3 through 6.1 and ProxyOne, allows remote attackers to execute arbitrary code via a large packet to the synchronization port (16102/tcp).
Cross-site scripting (XSS) vulnerability in the Java Management Console in Blue Coat ProxySG before SGOS 184.108.40.206, 5.x before SGOS 220.127.116.11, 5.5 before SGOS 18.104.22.168, and 6.x before SGOS 22.214.171.124 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Blue Coat ProxySG before SGOS 126.96.36.199, 5.x before SGOS 188.8.131.52, 5.5 before SGOS 184.108.40.206, and 6.x before SGOS 220.127.116.11 allows remote authenticated users to execute arbitrary CLI commands by leveraging read-only administrator privileges and establishing an HTTPS session.
Blue Coat ProxySG, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header.
Cross-site scripting (XSS) vulnerability in the management console in Blue Coat ProxySG before 18.104.22.168, and 5.x before 22.214.171.124, allows remote attackers to inject arbitrary web script or HTML by modifying the URL that is used for loading Certificate Revocation Lists.
Blue Coat Proxy Security Gateway OS (SGOS) 126.96.36.199 does not enforce CONNECT rules when using Deep Content Inspection, which allows remote attackers to bypass connection filters.
Back to Top