Websense XSS Vulnerability

2007.12.11
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

December 10th, 2007 ======= Summary ======= Name: Websense XSS Vulnerability Release Date: 10 December 2007 Reference: LSD002-2007 Discover: Dave Lewis CVE:Pending Vendor: Websense Product: Websense Enterprise and Websense Web Security Suite Systems Affected: version 6.3 (as tested) Risk: Less Critical Status: Published Reference: http://www.liquidmatrix.org/blog/2007/12/10/advisory-websense-xss-vulner ability/ ======== Time Line ======== Discovered: 8 November 2007 Reported: 8 November 2007 Fixed: 21 November 2007 Patch Release: 21 November 2007 Published: 10 December 2007 =========== Description =========== Websense Enterprise and Websense Web Security Suite contain a vulnerability in the login page is susceptible to a cross site scripting (XSS) attack. Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user. ================= Technical Details ================= Input passed to the "username" field of the login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. =============== Fix Information =============== This issue has now been resolved. The patch may be obtained from: http://www.websense.com (Hotfix #80) Knowledge Base #1840 http://www.websense.com/SupportPortal/SupportKbs/1840.aspx =============================== Liquidmatrix Security Digest http://www.liquidmatrix.org/blog/ 2255B Queen Street East suite 156 Toronto, Ontario Canada M4E 1G3


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top