Cross-Site Scripting Vulnerability in WatchGuard Fireware Products
CVE-2017-14615

6.1MEDIUM

Key Information:

Vendor

Watchguard

Status
Fireware
Vendor
CVE Published:
20 September 2017

What is CVE-2017-14615?

A vulnerability was identified in WatchGuard Fireware prior to version 12.0, which allows for the injection of malicious JavaScript through the XML-RPC interface. When an unauthorized login attempt occurs, if crafted correctly, this JavaScript can be executed in the context of any authenticated user accessing the 'Traffic Monitor' section of the Web UI. This could lead to unauthorized data exposure and manipulation, as the injected code may impact the visibility of subsequent events in the Traffic Monitor until the device is rebooted.

References

http://seclists.org/bugtraq/2017/Sep/22
x_refsource_MISC
https://www.sidertia.com/Home/Community/Blog/2017/09/18/F...
x_refsource_MISC
https://watchguardsupport.secure.force.com/publicKB?type=...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2017-14615 : Cross-Site Scripting Vulnerability in WatchGuard Fireware Products