security advisories

FSC-2014-2: Cross-site Scripting Vulnerability

Description


An improper validation check on the "new" parameter of the Admin console page of the Messaging Secure Gateway 7.5.0 product causes a cross-site scripting vulnerability.

Affected Products



Risk Level: Low (Low/Medium/High/Critical)

  • F-Secure Messaging Secure Gateway 7.5.0

  

Notes

A cross-site scripting vulnerability occurs in the Admin console of the Messaging Secure Gateway 7.5.0 product if an unterminated script is input to the "new" parameter which is used to create new users. Successful exploitation could result in creation of a new Administrator user account. This issue has been assigned the identifier CVE-2014-2844.

 

Mitigating Factor

An administrator account is needed prior to successfully exploiting the vulnerability. The exploit only works on Internet Explorer and Firefox.


 

Fix Available

Product Versions Download
F-Secure Messaging Secure Gateway 7.5.0 Patch 1862 has been applied to all F-Secure Messaging Secure Gateway clusters.
  1. Verify that patch has been installed.

 

Credits

F-Secure Corporation would like to thank Mr. William Costa for bringing this issue to our attention.

 

Advisory Changes

Date Changes
16th April First advisory published.
17th April  Clarified Mitigating Factor.

 

Date Issued: 2014-04-16
Date Last Updated: 2014-04-17

Get
Support

For documentation and product support,
visit our support site.

Learn More

F-Secure Community

Give advice. Get advice. Share the knowledge
on our free discussion forum.

Visit Now