PT-2014-4913 · F Secure · F-Secure Messaging Secure Gateway

William Costa

Published

2014-04-18

Updated

2014-04-21

CVE-2014-2844

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions F-Secure Messaging Secure Gateway version 7.5.0 before Patch 1862

Description A cross-site scripting (XSS) issue allows remote authenticated administrators to inject arbitrary web script or HTML via the new parameter in the SysUser module to admin. This can be achieved by accessing specific API endpoints, although the exact endpoint is not specified.

Recommendations For F-Secure Messaging Secure Gateway version 7.5.0, apply Patch 1862 to resolve the issue. As a temporary workaround, consider restricting access to the SysUser module to minimize the risk of exploitation. Avoid using the new parameter in the affected module until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2014-2844

Affected Products

F-Secure Messaging Secure Gateway

PT-2014-4913 · F Secure · F-Secure Messaging Secure Gateway

CVE-2014-2844

Weakness Enumeration

Related Identifiers

Affected Products

References · 4