CVE-2014-3289
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
69.8%
Cross-site scripting (XSS) vulnerability in the web management interface in Cisco AsyncOS on the Email Security Appliance (ESA) 8.0, Web Security Appliance (WSA) 8.0 (.5 Hot Patch 1) and earlier, and Content Security Management Appliance (SMA) 8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, as demonstrated by the date_range parameter to monitor/reports/overview on the IronPort ESA, aka Bug IDs CSCun07998, CSCun07844, and CSCun07888.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cisco | ironport_asyncos | * | cpe:2.3:o:cisco:ironport_asyncos:*:*:*:*:*:*:*:* |
| cisco | web_security_appliance | - | cpe:2.3:h:cisco:web_security_appliance:-:*:*:*:*:*:*:* |
| cisco | content_security_management_appliance | - | cpe:2.3:h:cisco:content_security_management_appliance:-:*:*:*:*:*:*:* |
| cisco | ironport_asyncos | 8.0 | cpe:2.3:o:cisco:ironport_asyncos:8.0:*:*:*:*:*:*:* |
| cisco | email_security_appliance_firmware | - | cpe:2.3:o:cisco:email_security_appliance_firmware:-:*:*:*:*:*:*:* |
References
packetstormsecurity.com/files/127004/Cisco-Ironport-Email-Security-Virtual-Appliance-8.0.0-671-XSS.html
seclists.org/fulldisclosure/2014/Jun/57
secunia.com/advisories/58296
tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289
tools.cisco.com/security/center/viewAlert.x?alertId=34569
www.kb.cert.org/vuls/id/613308
www.securityfocus.com/bid/67943
www.securitytracker.com/id/1030407
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
69.8%