Reflected XSS Vulnerability in Web Isolation

SUMMARY

Symantec Web Isolation (WI) is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker can target end users protected by WI with social engineering attacks using crafted URLs for legitimate web sites. A successful attack allows injecting malicious JavaScript code into the website's rendered copy running inside the end user's web browser. It does not allow injecting code into the real (isolated) copy of the website running on the WI Threat Isolation Engine.

AFFECTED PRODUCTS

Web Isolation

CVE |Affected Version(s)|Remediation
CVE-2018-12246 | 1.10 and earlier | Not vulnerable
1.11 | Upgrade to 1.11.21.

ADDITIONAL PRODUCT INFORMATION

Symantec Web Isolation is only vulnerable when configured in Portal Isolation mode.

ISSUES

CVE-2018-12246

Severity / CVSSv3 | Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) References| SecurityFocus: BID 105581 / NVD: CVE-2018-12246 Impact| Cross-site scripting (XSS) Description | A reflected cross-site scripting (XSS) vulnerability in Web Isolation allows a remote attacker to target end users protected by Web Isolation with phishing attacks and other social engineering techniques using crafted URLs for legitimate websites. A successful attack allows injecting malicious JavaScript code into the website's rendered copy running inside the end user's web browser. It does not allow injecting code into the real (isolated) copy of the website running on the Web Isolation Threat Isolation Engine.

REFERENCES

JVN#58005743 - <https://jvn.jp/en/jp/JVN58005743/&gt;

REVISION

2018-10-22 Added reference to JVN#58005743.
2018-10-16 initial public release