CVE-2014-3289

Currently unrated

Key Information:

Vendor: Cisco
Status: Ironport Asyncos; Web Security Appliance
Vendor: CVE Published:; 10 June 2014

Summary

Cross-site scripting (XSS) vulnerability in the web management interface in Cisco AsyncOS on the Email Security Appliance (ESA) 8.0, Web Security Appliance (WSA) 8.0 (.5 Hot Patch 1) and earlier, and Content Security Management Appliance (SMA) 8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, as demonstrated by the date_range parameter to monitor/reports/overview on the IronPort ESA, aka Bug IDs CSCun07998, CSCun07844, and CSCun07888.

References

http://www.securitytracker.com/id/1030407

vdb-entryx_refsource_SECTRACK

http://www.kb.cert.org/vuls/id/613308

third-party-advisoryx_refsource_CERT-VN

http://packetstormsecurity.com/files/127004/Cisco-Ironpor...

x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jun 10, 2014
Vulnerability Reserved
May 7, 2014