Cross-Site Scripting Vulnerability in Cisco AsyncOS for Email and Web Security Appliances
CVE-2014-3289

Currently unrated

Key Information:

Vendor: Cisco
Status: Ironport Asyncos; Web Security Appliance
Vendor: CVE Published:; 10 June 2014

Summary

A cross-site scripting vulnerability exists in the web management interface of Cisco's AsyncOS utilized in Email Security Appliance, Web Security Appliance, and Content Security Management Appliance. This flaw enables remote attackers to inject arbitrary web scripts or HTML into affected interfaces, particularly through manipulated parameters, such as 'date_range' in the monitoring reports. Exploiting this vulnerability can lead to unauthorized actions on behalf of users, compromising the integrity of the system.

References

http://www.securitytracker.com/id/1030407

vdb-entryx_refsource_SECTRACK

http://www.kb.cert.org/vuls/id/613308

third-party-advisoryx_refsource_CERT-VN

http://packetstormsecurity.com/files/127004/Cisco-Ironpor...

x_refsource_MISC

Timeline

Vulnerability published
Jun 10, 2014
Vulnerability Reserved
May 7, 2014