Vulners
Lucene search
Cisco Ironport AsyncOS Cross Site Scripting
🗓️ 25 Feb 2015 00:00:00Reported by Glafkos CharalambousType 
packetstorm🔗 packetstormsecurity.com👁 35 Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2013-6780 | 13 Nov 201315:00 | – | cve |
 | CVE-2013-6780 | 13 Nov 201315:00 | – | cvelist |
 | EUVD-2013-6582 | 7 Oct 202500:30 | – | euvd |
 | [SECURITY] Fedora 18 Update: moodle-2.3.10-1.fc18 | 23 Nov 201319:35 | – | fedora |
| [SECURITY] Fedora 19 Update: moodle-2.4.7-1.fc19 | 23 Nov 201319:49 | – | fedora |
| [SECURITY] Fedora 20 Update: moodle-2.5.3-1.fc20 | 24 Nov 201303:29 | – | fedora |
 | Fedora 20 : moodle-2.5.3-1.fc20 (2013-21312) | 25 Nov 201300:00 | – | nessus |
| Fedora 18 : moodle-2.3.10-1.fc18 (2013-21354) | 25 Nov 201300:00 | – | nessus |
| Fedora 19 : moodle-2.4.7-1.fc19 (2013-21397) | 25 Nov 201300:00 | – | nessus |
 | CVE-2013-6780 | 13 Nov 201315:55 | – | nvd |
10
`Cisco Ironport AsyncOS Cross Site Scripting
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s):
Cisco Ironport ESA - AsyncOS 8.0.1-023
Cisco Ironport WSA - AsyncOS 8.5.5-022
Cisco Ironport SMA - AsyncOS 8.4.0-126
Date: 24/02/2015
Credits: Glafkos Charalambous
CVE: CVE-2013-6780
Disclosure Timeline:
28-10-2014: Vendor Notification
28-10-2014: Vendor Response/Feedback
22-01-2015: Vendor Fix/Patch
24-02-2015: Public Disclosure
Description:
Cisco AsyncOS is vulnerable to unauthenticated Cross-site scripting (XSS), caused by improper validation
of user supplied input in the (uploader.swf) Uploader component in Yahoo! versions 2.5.0 through 2.9.0.
An attacker is able to inject arbitrary web script or HTML via the allowedDomain parameter.
XSS Payload:
http(s)://domain.com/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert('XSS');}//
References:
https://tools.cisco.com/bugsearch/bug/CSCur44409
https://tools.cisco.com/bugsearch/bug/CSCur89626
https://tools.cisco.com/bugsearch/bug/CSCur89624
http://yuilibrary.com/support/20131111-vulnerability/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6780
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u
xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x
Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj
KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe
JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB
AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF
AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ
M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z
S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE
n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d
V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL
2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI=
=yiro
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Feb 2015 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.01196