Stored Cross-Site Scripting in ASG/ProxySG FTP Proxy by Symantec
CVE-2018-18370

6.1MEDIUM

Key Information:

Vendor: Symantec Corporation
Status: Symantec Advanced Secure Gateway (asg); Symantec Proxysg
Vendor: CVE Published:; 30 August 2019

What is CVE-2018-18370?

The ASG/ProxySG FTP proxy's WebFTP mode introduces a stored cross-site scripting vulnerability. This flaw enables a remote attacker to inject malicious JavaScript code into the web listing of a remote FTP server accessed via a web browser. To exploit this vulnerability, the attacker must first upload specially crafted files to the affected FTP server. The impacted versions include ASG 6.6 and 6.7 prior to 6.7.4.2, and ProxySG 6.5 prior to 6.5.10.15, as well as 6.6 and 6.7 prior to 6.7.4.2. Proper security measures should be taken to mitigate risks associated with this flaw.

Affected Version(s)

Symantec Advanced Secure Gateway (ASG) 6.6 and 6.7 prior to 6.7.4.2

Symantec ProxySG 6.5 prior to 6.5.10.15

Symantec ProxySG 6.6

References

https://support.symantec.com/us/en/article.SYMSA1472.html

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 30, 2019
Vulnerability Reserved
Oct 15, 2018

Symantec Corporation

What is CVE-2018-18370?

Affected Version(s)

References

CVSS V3.1

Timeline