Symantec Web Isolation (WI) is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker can target end users protected by WI with social engineering attacks using crafted URLs for legitimate web sites. A successful attack allows injecting malicious JavaScript code into the website's rendered copy running inside the end user's web browser. It does not allow injecting code into the real (isolated) copy of the website running on the WI Threat Isolation Engine.
CVE |Affected Version(s)|Remediation
CVE-2018-12246 | 1.10 and earlier | Not vulnerable
1.11 | Upgrade to 1.11.21.
Symantec Web Isolation is only vulnerable when configured in Portal Isolation mode.
Severity / CVSSv3 | Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) References| SecurityFocus: BID 105581 / NVD: CVE-2018-12246 Impact| Cross-site scripting (XSS) Description | A reflected cross-site scripting (XSS) vulnerability in Web Isolation allows a remote attacker to target end users protected by Web Isolation with phishing attacks and other social engineering techniques using crafted URLs for legitimate websites. A successful attack allows injecting malicious JavaScript code into the website's rendered copy running inside the end user's web browser. It does not allow injecting code into the real (isolated) copy of the website running on the Web Isolation Threat Isolation Engine.
JVN#58005743 - <https://jvn.jp/en/jp/JVN58005743/>
2018-10-22 Added reference to JVN#58005743.
2018-10-16 initial public release
CPE | Name | Operator | Version |
---|---|---|---|
web isolation | eq | 1 | |
web isolation | eq | 1 |