CVE-2014-3289
5.7 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
69.4%
Cross-site scripting (XSS) vulnerability in the web management interface in Cisco AsyncOS on the Email Security Appliance (ESA) 8.0, Web Security Appliance (WSA) 8.0 (.5 Hot Patch 1) and earlier, and Content Security Management Appliance (SMA) 8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, as demonstrated by the date_range parameter to monitor/reports/overview on the IronPort ESA, aka Bug IDs CSCun07998, CSCun07844, and CSCun07888.
References
packetstormsecurity.com/files/127004/Cisco-Ironport-Email-Security-Virtual-Appliance-8.0.0-671-XSS.html
seclists.org/fulldisclosure/2014/Jun/57
secunia.com/advisories/58296
tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289
tools.cisco.com/security/center/viewAlert.x?alertId=34569
www.kb.cert.org/vuls/id/613308
www.securityfocus.com/bid/67943
www.securitytracker.com/id/1030407
Related
5.7 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
69.4%