Default credentials

Microsoft Forefront Unified Access Gateway UAG 2010 SP1 and SP1 Update 1 does not properly configure the default web site, which allows remote attackers to obtain sensitive information via a crafted HTTPS request, aka "Unfiltered Access to UAG Default Website Vulnerability."...

CVE-2012-0146

CVE-2012-0146 : Affects Microsoft Forefront UAG 2010 SP1 and SP1 Update 1. Open redirect vulnerability allows remote attackers to redirect users to arbitrary sites via a crafted URL (phishing risk). Root cause is an improper redirect handling in UAG’s web flow. Exploitation is possible remotely; ...

Microsoft Forefront UAG Default Reflected Cross-site Scripting (MS11-079; CVE-2011-1897)

A cross-site scripting vulnerability has been reported in Microsoft Forefront Unified Access Gateway UAG server. The vulnerability is due to an error in the way the UAG server handles incoming HTTP query strings. A remote attacker could exploit this issue by enticing a user to open a URL containi...

SEC Consult SA-20111012-0 :: Client-side remote file upload & command execution in Microsoft Forefront UAG Remote Access Agent (CVE-2011-1969)

SEC Consult Vulnerability Lab Security Advisory 20111012-0 ======================================================================= title: Client-side remote file upload & command execution product: Microsoft Forefront Unified Access Gateway Remote Access Agent signed Java applet vulnerable versio...

Session fixation

Microsoft Forefront Unified Access Gateway UAG 2010 Gold, Update 1, Update 2, and SP1 does not properly validate session cookies, which allows remote attackers to cause a denial of service IIS outage via unspecified network traffic, aka "Null Session Cookie Crash."...

CVE-2011-1969

Microsoft Forefront Unified Access Gateway UAG 2010 Gold, Update 1, Update 2, and SP1 provides the MicrosoftClient.jar file containing a signed Java applet, which allows remote attackers to execute arbitrary code on client machines via unspecified vectors, aka "Poisoned Cup of Code Execution...

CVE-2011-2012

Microsoft Forefront UAG 2010 Gold/Update 1/2 and SP1 is affected by CVE-2011-2012 due to improper validation of session cookies, enabling a remote attacker to cause a denial of service (IIS outage) by sending unspecified network traffic. This is part of the MS11-079 set of vulnerabilities and is ...

CVE-2011-1895

Microsoft Forefront UAG (2010 Gold/Update 1/Update 2/SP1) is affected by multiple vulnerabilities addressed in MS11-079. The CVE-2011-1895 issue is an HTTP response-splitting/CRLF injection in ExcelTable.asp that can lead to header tampering and related cross-site scripting attacks; related CVEs ...

Microsoft Forefront UAG Poisoned Cup of Code Execution (MS11-079; CVE-2011-1969)

The vulnerability is due to a vulnerable Java applet that is installed on a browser by the Forefront Unified Access Gateway UAG server. A remote attacker may exploit this vulnerability by enticing a target user to open a malicious web-page using a Java-enabled Web-browser. Successful exploitation...

Microsoft Forefront UAG Session Cookie Denial of Service (MS11-079; CVE-2011-2012)

A denial of service vulnerability has been reported in Microsoft Forefront Unified Access Gateway UAG. The vulnerability is due to improper validation of certain values contained within the session cookie. A remote attacker may exploit this vulnerability by sending specially crafted network traff...

Preemptive Protection against Microsoft Forefront UAG Default Reflected XSS Information Disclosure (MS11-079; CVE-2011-1897)

An information disclosure vulnerability has been reported in Microsoft Forefront Unified Access Gateway UAG server...

Preemptive Protection against Microsoft Forefront UAG ExcelTable Reflected XSS Information Disclosure (MS11-079; CVE-2011-1896)

An information disclosure vulnerability has been reported in Microsoft Forefront Unified Access Gateway UAG server...

Microsoft ForeFront Default Portal Cross-Site Scripting (MS11-079)

An information disclosure vulnerability has been reported in Microsoft Forefront Unified Access Gateway UAG server...

Microsoft Forefront UAG Signurl.asp Cross-Site Scripting (MS10-089; CVE-2010-3936)

Microsoft Forefront Unified Access Gateway UAG is designed to provide secure remote access to corporate resources for employees, partners and vendors from both managed and unmanaged PCs and mobile devices. UAG provides a variety of connection options including SSL VPN, Microsoft DirectAccess and...

Microsoft security update stamps out 11 product vulnerabilities

Microsoft security update stamps out 11 product vulnerabilities American software heavyweight Microsoft Corp. has this week rolled out three security bulletins for Windows, addressing a total of 11 vulnerabilities targeting potential exploits in platforms ranging from Microsoft Office to Forefron...

CVE-2010-3936

Cross-site scripting XSS vulnerability in Signurl.asp in Microsoft Forefront Unified Access Gateway UAG 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "XSS in Signurl.asp Vulnerability."...

CVE-2010-2734

Cross-site scripting XSS vulnerability in the mobile portal in Microsoft Forefront Unified Access Gateway UAG 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "XSS Issue on UAG Mobile Portal Website in Forefron...

CVE-2010-2732

Open redirect vulnerability in the web interface in Microsoft Forefront Unified Access Gateway UAG 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka "UAG Redirection Spoofing...

CVE-2010-2733

Cross-site scripting XSS vulnerability in the Web Monitor in Microsoft Forefront Unified Access Gateway UAG 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "UAG XSS Allows EOP Vulnerability."...

Cross site scripting

Cross-site scripting XSS vulnerability in Signurl.asp in Microsoft Forefront Unified Access Gateway UAG 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "XSS in Signurl.asp Vulnerability."...