CVE-2014-9606

Name of the Vulnerable Software and Affected Versions: Netsweeper versions 3.1.9 and earlier Netsweeper versions 4.0.x through 4.0.8 Netsweeper versions 4.1.x through 4.1.1

Description: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various parameters, including the server parameter to "remotereporter/load logfiles.php", the customctid parameter to "webadmin/policy/category table ajax.php", the urllist parameter to "webadmin/alert/alert.php", the QUERY STRING to "webadmin/ajaxfilemanager/ajax get file listing.php", or the PATH INFO to "webadmin/policy/policy table ajax.php/".

Recommendations: For Netsweeper versions 3.1.9 and earlier, update to version 3.1.10 or later. For Netsweeper versions 4.0.x through 4.0.8, update to version 4.0.9 or later. For Netsweeper versions 4.1.x through 4.1.1, update to version 4.1.2 or later. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available.