CVE-2009-3748

Name of the Vulnerable Software and Affected Versions Websense Personal Email Manager versions prior to 7.1 Hotfix 4 Websense Email Security versions prior to 7.1 Hotfix 4

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters to specific API endpoints, including "web/msgList/viewmsg/actions/msgAnalyse.asp", "actions/msgForwardToRiskFilter.asp", and "viewHeaders.asp" in "web/msgList/viewmsg/". The vulnerable parameters include FileName, IsolatedMessageID, ServerName, Dictionary, Scoring, MessagePart, Queue, and the subject in an e-mail message.

Recommendations For Websense Personal Email Manager versions prior to 7.1 Hotfix 4, apply Hotfix 4 to resolve the issue. For Websense Email Security versions prior to 7.1 Hotfix 4, apply Hotfix 4 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "web/msgList/viewmsg/actions/msgAnalyse.asp", until a patch is available. Avoid using the vulnerable parameters, including FileName, IsolatedMessageID, ServerName, Dictionary, Scoring, MessagePart, and Queue, in the affected API endpoints until the issue is resolved.