CVE-2014-3289

Name of the Vulnerable Software and Affected Versions Cisco AsyncOS on the Email Security Appliance (ESA) versions 8.0 and earlier Cisco AsyncOS on the Web Security Appliance (WSA) versions 8.0(.5 Hot Patch 1) and earlier Cisco AsyncOS on the Content Security Management Appliance (SMA) versions 8.3 and earlier

Description A cross-site scripting (XSS) issue exists in the web management interface, allowing remote attackers to inject arbitrary web script or HTML via a crafted parameter, such as the date range parameter to the "monitor/reports/overview" endpoint.

Recommendations For Cisco AsyncOS on the Email Security Appliance (ESA) versions 8.0 and earlier, update to a version that includes the fix for this issue. For Cisco AsyncOS on the Web Security Appliance (WSA) versions 8.0(.5 Hot Patch 1) and earlier, update to a version that includes the fix for this issue. For Cisco AsyncOS on the Content Security Management Appliance (SMA) versions 8.3 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the "monitor/reports/overview" endpoint to minimize the risk of exploitation. Avoid using the date range parameter in the affected endpoint until the issue is resolved.