Cross-site Scripting Vulnerability in Forcepoint Cloud Security Gateway and Web Security Products
CVE-2023-26290

6.1MEDIUM

Key Information:

Vendor: Forcepoint
Status: Cloud Security Gateway (csg); Web Security
Vendor: CVE Published:; 29 March 2023

What is CVE-2023-26290?

A Cross-site Scripting (XSS) vulnerability exists in Forcepoint's Cloud Security Gateway (CSG) and Web Security products. This issue arises from improper handling of user input during the web page generation, particularly in the login_reset_request.mhtml module. Attackers can exploit this flaw to execute scripts in the context of the affected user's session, potentially leading to unauthorized data access or manipulation. The vulnerability impacts various products in Forcepoint's offerings and is present in versions released before March 29, 2023. Users are advised to take immediate action to mitigate associated risks.

Affected Version(s)

Cloud Security Gateway (CSG) Web Cloud Security Gateway 0 < 03/29/2023

Web Security Hybrid 0 < 03/29/2023

References

https://support.forcepoint.com/s/article/000041617

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 29, 2023
Vulnerability Reserved
Feb 21, 2023

Credit

Pratik Kumar Singh (@4rch_54m431)