Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:274244
HistoryApr 14, 2015 - 12:00 a.m.

Blue Coat Malware Analysis appliance contains a cross-site scripting (XSS) vulnerability and information disclosure

2015-04-1400:00:00
www.kb.cert.org
17

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

59.1%

JSON

Overview

The Blue Coat Malware Analysis appliance is vulnerable to cross-site scripting (XSS) and information disclosure.

Description

The Blue Coat Malware Analysis appliance is a sandboxed appliance that scans for threats in files and downloads on the network.

A cross-site scripting vulnerability exists in search.php of the appliance. This vulnerability has been assigned CVE-2015-0937.

An information disclosure vulnerability exists in search.php of the appliance. By use of a specialized URL parameter, this vulnerability allows a user to search for and obtain a list of documents meeting certain keywords, even if those documents are private. This vulnerability has been assigned CVE-2015-0938.

These vulnerabilities have been observed in version 4.2.3.20150129-RELEASE; other releases may also be affected. For more information, please see Blue Coat’s security advisory SA94

The CVSS score below is based on CVE-2015-0937.

Impact

The cross-site scripting vulnerability may allow compromise of user credentials. The information disclosure vulnerability may allow private file data to be obtained by unauthorized users.

Solution

Update software

Blue Coat has addressed these vulnerabilities in version 4.2.4.20150312-RELEASE. Affected users are suggested to upgrade as soon as possible.

Vendor Information

274244

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Blue Coat Systems Affected

Notified: February 02, 2015 Updated: April 07, 2015

Statement Date: February 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N
Temporal 5.2 E:POC/RL:U/RC:C
Environmental 3.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

<https://bto.bluecoat.com/security-advisory/sa94&gt;

Acknowledgements

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-0937, CVE-2015-0938
Date Public: 2015-04-14 Date First Published:

Related

symantec 1
cvelist 2
nvd 2
prion 2
cve 2
symantec
symantec
SA94 : Malware Analysis Appliance Cross-site Scripting and Information Disclosure Vulnerabilities
2015-04-16 08:00:00
cvelist
cvelist
CVE-2015-0938
2015-04-17 01:00:00
CVE-2015-0937
2015-04-17 01:00:00
nvd
nvd
CVE-2015-0938
2015-04-17 01:59:28
CVE-2015-0937
2015-04-17 01:59:27
prion
prion
Code injection
2015-04-17 01:59:00
Cross site scripting
2015-04-17 01:59:00
cve
cve
CVE-2015-0938
2015-04-17 01:59:28
CVE-2015-0937
2015-04-17 01:59:27

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

59.1%

JSON
Related for VU:274244
symantec1cvelist2nvd2prion2cve2