CISCO : Cisco Content Security Management Appliance XSS and CSRF Vulnerabilities

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 146377 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.803754

Kategorie: CISCO

Titel: Cisco Content Security Management Appliance XSS and CSRF Vulnerabilities

Zusammenfassung: Cisco Content Security Management Appliance is prone to cross site scripting and cross site request forgery vulnerabilities.

Beschreibung: Summary:
Cisco Content Security Management Appliance is prone to cross site scripting and cross site request forgery vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to:

- The lack of output escaping in the default error 500 page. When an exception
occurs in the application, the error description contains user unvalidated
input from the request.

- The lack of input validation on job_name, job_type, appliances_options and
config_master parameters which are then printed unscapped on job_name,
old_job_name, job_type, appliance_lists and config_master fields.

- The CSRFKey is not used in some areas of the application.

Vulnerability Impact:
Successful exploitation will allow attacker to execute arbitrary script
code in the browser of an unsuspecting user in the context of the affected site.

Affected Software/OS:
Cisco Content Security Management Appliance (SMA) 8.1 and prior.

Solution:
Upgrade to latest version of Cisco CSMA.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2013-3395
Cisco Security Advisory: 20130626 Cisco IronPort Cross-Site Request Forgery Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3395
Common Vulnerability Exposure (CVE) ID: CVE-2013-3396
BugTraq ID: 60829
http://www.securityfocus.com/bid/60829
Cisco Security Advisory: 20130626 Cisco Content Security Management Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3396

Copyright Copyright (C) 2013 Greenbone AG

Dies ist nur einer von 146377 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.803754
Kategorie:	CISCO
Titel:	Cisco Content Security Management Appliance XSS and CSRF Vulnerabilities
Zusammenfassung:	Cisco Content Security Management Appliance is prone to cross site scripting and cross site request forgery vulnerabilities.
Beschreibung:	Summary: Cisco Content Security Management Appliance is prone to cross site scripting and cross site request forgery vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - The lack of output escaping in the default error 500 page. When an exception occurs in the application, the error description contains user unvalidated input from the request. - The lack of input validation on job_name, job_type, appliances_options and config_master parameters which are then printed unscapped on job_name, old_job_name, job_type, appliance_lists and config_master fields. - The CSRFKey is not used in some areas of the application. Vulnerability Impact: Successful exploitation will allow attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Affected Software/OS: Cisco Content Security Management Appliance (SMA) 8.1 and prior. Solution: Upgrade to latest version of Cisco CSMA. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2013-3395 Cisco Security Advisory: 20130626 Cisco IronPort Cross-Site Request Forgery Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3395 Common Vulnerability Exposure (CVE) ID: CVE-2013-3396 BugTraq ID: 60829 http://www.securityfocus.com/bid/60829 Cisco Security Advisory: 20130626 Cisco Content Security Management Cross-Site Scripting Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3396
Copyright	Copyright (C) 2013 Greenbone AG