An improper validation check on the "new" parameter of the Admin console page of the Messaging Secure Gateway 7.5.0 product causes a cross-site scripting vulnerability.
A cross-site scripting vulnerability occurs in the Admin console of the Messaging Secure Gateway 7.5.0 product if an unterminated script is input to the "new" parameter which is used to create new users. Successful exploitation could result in creation of a new Administrator user account. This issue has been assigned the identifier CVE-2014-2844.
An administrator account is needed prior to successfully exploiting the vulnerability. The exploit only works on Internet Explorer and Firefox.
|F-Secure Messaging Secure Gateway||7.5.0||
Patch 1862 has been applied to all F-Secure Messaging Secure Gateway clusters.
F-Secure Corporation would like to thank Mr. William Costa for bringing this issue to our attention.
|16th April 2014||First advisory published.|
|17th April 2014||Clarified Mitigating Factor.|
Date Issued: 2014-04-16
Date Updated: 2014-04-17