Same Origin Policy Violation in Multiple Clientless SSL VPN Products
CVE-2009-2631

Currently unrated

Key Information:

Vendor: Sonicwall
Status: E-class Ssl Vpn; Ssl Vpn; Stonegate; Adaptive Security Appliance
Vendor: CVE Published:; 4 December 2009

Summary

Various clientless SSL VPN products, when misconfigured, allow attackers to exploit a fundamental design flaw facilitating unauthorized content retrieval from remote URLs. This flaw violates the same-origin policy, potentially allowing cross-site scripting (XSS) attacks, unauthorized access to internal resources, and exploitation of user sessions. Remote attackers can read cookies from different domains, perform keylogging, and engage in a range of malicious actions, posing serious risks to organizational security.

References

http://secunia.com/advisories/37786

third-party-advisoryx_refsource_SECUNIA

http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/...

x_refsource_CONFIRM

http://www.securityfocus.com/archive/1/508164/100/0/threaded

mailing-listx_refsource_BUGTRAQ

Timeline

Vulnerability published
Dec 4, 2009
Vulnerability Reserved
Jul 28, 2009