CVE-2015-2746

Name of the Vulnerable Software and Affected Versions Websense TRITON versions 7.8.3 through 7.8.3 before Hotfix 02 Websense V-Series appliances versions 7.8.3 through 7.8.3 before Hotfix 02

Description The issue concerns the network diagnostics tool CommandLineServlet in the Appliance Manager command line utility. It allows remote authenticated users to execute arbitrary commands via shell metacharacters in the second parameter of a command. This can be demonstrated by the Destination parameter in the ping command, using second parameter with shell metacharacters.

Recommendations For Websense TRITON version 7.8.3, update to version 7.8.4 Hotfix 02 to resolve the issue. For Websense V-Series appliances version 7.8.3, update to version 7.8.4 Hotfix 02 to resolve the issue. As a temporary workaround, consider restricting access to the CommandLineServlet to minimize the risk of exploitation. Avoid using the second parameter in commands until the issue is resolved.