CVE-2015-8597

Name of the Vulnerable Software and Affected Versions Blue Coat ProxySG versions 6.5 through 6.5.8.8 Blue Coat ProxySG version 6.6 Advanced Secure Gateway (ASG) version 6.6

Description The issue allows remote attackers to redirect users to arbitrary web sites, potentially leading to phishing attacks. This can be achieved via a base64-encoded URL in conjunction with a "clear text" one in a coaching page. For example, an attacker could use a URL like "http://www.%humbug-URL%.local/bluecoat-splash-API?%BASE64-URL%."

Recommendations For Blue Coat ProxySG versions 6.5 through 6.5.8.8, update to version 6.5.8.8 or later. For Blue Coat ProxySG version 6.6 and Advanced Secure Gateway (ASG) version 6.6, consider disabling the coaching page feature until a patch is available. As a temporary workaround, restrict access to the coaching page to minimize the risk of exploitation.