Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Product Security

FSC-2014-2: Cross-site Scripting Vulnerability

 

Brief Description

An improper validation check on the “new” parameter of the Admin console page of the Messaging Secure Gateway 7.5.0 product causes a cross-site scripting vulnerability. 

 

Products

Risk Level: Low (Low/Medium/High/Critical)

  • F-Secure Messaging Secure Gateway 7.5.0

  

Notes

A cross-site scripting vulnerability occurs in the Admin console of the Messaging Secure Gateway 7.5.0 product if an unterminated script is input to the “new” parameter which is used to create new users. Successful exploitation could result in creation of a new Administrator user account. This issue has been assigned the identifier CVE-2014-2844.

 

Mitigating Factor

An administrator account is needed prior to successfully exploiting the vulnerability. The exploit only works on Internet Explorer and Firefox.

 

Fix Available

Product Versions        Download
F-Secure Messaging Secure Gateway 7.5.0 Patch 1862 has been applied to all F-Secure Messaging Secure Gateway clusters.
  1. Verify that patch has been installed.

 

Credits

F-Secure Corporation would like to thank Mr. William Costa for bringing this issue to our attention.

 

Advisory Changes

Date Changes
16th April First advisory published.
17th April  Clarified Mitigating Factor.

 

Date Issued: 2014-04-16
Date Last Updated: 2014-04-17

Get Support online

For documentation and product support, visit our Support site.