CVE-2014-9430

Name of the Vulnerable Software and Affected Versions Smoothwall Express version 3.0 SP3

Description A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML via the COMMENT parameter in an Add action in the httpd/cgi-bin/vpn.cgi/vpnconfig.dat endpoint.

Recommendations For Smoothwall Express version 3.0 SP3, as a temporary workaround, consider restricting access to the httpd/cgi-bin/vpn.cgi/vpnconfig.dat endpoint until a patch is available. Avoid using the COMMENT parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.