Lucene search

MitreCVE-2014-9711

HistoryMar 25, 2015 - 2:59 p.m.

CVE-2014-9711

2015-03-2514:59:00

CWE-79

mitre

web.nvd.nist.gov

cve-2014-9711

cross-site scripting

xss

investigative reports

websense triton ap-web

web security gateway

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.9

Confidence

High

EPSS

0.005

Percentile

76.4%

JSON

Multiple cross-site scripting (XSS) vulnerabilities in the Investigative Reports in Websense TRITON AP-WEB before 8.0.0 and Web Security and Filter, Web Security Gateway, and Web Security Gateway Anywhere 7.8.3 before Hotfix 02 and 7.8.4 before Hotfix 01 allow remote attackers to inject arbitrary web script or HTML via the (1) ReportName (Job Name) parameter to the Explorer report scheduler (cgi-bin/WsCgiExplorerSchedule.exe) in the Job Queue or the col parameter to the (2) Names or (3) Anonymous (explorer_wse/explorer_anon.exe) summary report page.

Affected configurations

Nvd

Node

websensetriton_ap_webRange≤7.8.3

websensetriton_web_filterRange≤7.8.3

websensetriton_web_securityRange≤7.8.3

websensetriton_web_security_gatewayRange≤7.8.3

websensetriton_web_security_gateway_anywhereRange≤7.8.3

VendorProductVersionCPE
websensetriton_ap_web*cpe:2.3:a:websense:triton_ap_web:*:*:*:*:*:*:*:*
websensetriton_web_filter*cpe:2.3:a:websense:triton_web_filter:*:*:*:*:*:*:*:*
websensetriton_web_security*cpe:2.3:a:websense:triton_web_security:*:*:*:*:*:*:*:*
websensetriton_web_security_gateway*cpe:2.3:a:websense:triton_web_security_gateway:*:*:*:*:*:*:*:*
websensetriton_web_security_gateway_anywhere*cpe:2.3:a:websense:triton_web_security_gateway_anywhere:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
websense	triton_ap_web	*	cpe:2.3:a:websense:triton_ap_web::::::::
websense	triton_web_filter	*	cpe:2.3:a:websense:triton_web_filter::::::::
websense	triton_web_security	*	cpe:2.3:a:websense:triton_web_security::::::::
websense	triton_web_security_gateway	*	cpe:2.3:a:websense:triton_web_security_gateway::::::::
websense	triton_web_security_gateway_anywhere	*	cpe:2.3:a:websense:triton_web_security_gateway_anywhere::::::::

References

packetstormsecurity.com/files/130903/Websense-Explorer-Report-Scheduler-Cross-Site-Scripting.html

packetstormsecurity.com/files/130905/Websense-Reporting-Cross-Site-Scripting.html

seclists.org/fulldisclosure/2015/Mar/109

seclists.org/fulldisclosure/2015/Mar/110

www.securityfocus.com/archive/1/534915/100/0/threaded

www.securityfocus.com/archive/1/534917/100/0/threaded

www.websense.com/support/article/kbarticle/v7-8-3-About-Hotfix-02-for-Web-Security-Solutions

www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-01-for-Web-Security-Solutions

www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0

www.securify.nl/advisory/SFY20140911/cross_site_scripting_vulnerability_in_websense_explorer_report_scheduler.html

www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.html

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.9

Confidence

High

EPSS

0.005

Percentile

76.4%

JSON

Related for CVE-2014-9711