CVE-2014-9711

Name of the Vulnerable Software and Affected Versions Websense TRITON AP-WEB versions prior to 8.0.0 Websense Web Security and Filter versions 7.8.3 through 7.8.3 before Hotfix 02 Websense Web Security Gateway versions 7.8.3 through 7.8.3 before Hotfix 02 Websense Web Security Gateway Anywhere versions 7.8.3 through 7.8.3 before Hotfix 02 and 7.8.4 before Hotfix 01

Description The issue allows remote attackers to inject arbitrary web script or HTML via the ReportName (Job Name) parameter to the "cgi-bin/WsCgiExplorerSchedule.exe" in the Job Queue or the col parameter to the Names or Anonymous summary report page.

Recommendations For Websense TRITON AP-WEB versions prior to 8.0.0, update to version 8.0.0 or later. For Websense Web Security and Filter, Web Security Gateway, and Web Security Gateway Anywhere versions 7.8.3 before Hotfix 02, apply Hotfix 02. For Websense Web Security Gateway Anywhere version 7.8.4 before Hotfix 01, apply Hotfix 01. As a temporary workaround, consider restricting access to the vulnerable "cgi-bin/WsCgiExplorerSchedule.exe" and "explorer wse/explorer anon.exe" pages until a patch is available. Avoid using the ReportName and col parameters in the affected API endpoints until the issue is resolved.