Security Advisories

FSC-2014-2: Cross-site Scripting Vulnerability

Description

An improper validation check on the "new" parameter of the Admin console page of the Messaging Secure Gateway 7.5.0 product causes a cross-site scripting vulnerability.

Affected Products

  • Risk Level (Low/Medium/High/Cricital) Low
  • F-Secure Messaging Secure Gateway 7.5.0

 

More Information

A cross-site scripting vulnerability occurs in the Admin console of the Messaging Secure Gateway 7.5.0 product if an unterminated script is input to the "new" parameter which is used to create new users. Successful exploitation could result in creation of a new Administrator user account. This issue has been assigned the identifier CVE-2014-2844.

Mitigating Factor

An administrator account is needed prior to successfully exploiting the vulnerability. The exploit only works on Internet Explorer and Firefox.

Fix Available

Product Versions Fix
F-Secure Messaging Secure Gateway 7.5.0

Patch 1862 has been applied to all F-Secure Messaging Secure Gateway clusters.

  1. Verify that patch has been installed.

Credits

F-Secure Corporation would like to thank Mr. William Costa for bringing this issue to our attention.

Advisory Changes

Date Changes
16th April 2014 First advisory published.
17th April 2014 Clarified Mitigating Factor.

Date Issued: 2014-04-16
Date Updated: 2014-04-17