Description
Symantec Brightmail Gateway Appliance is vulnerable to multiple reflected XSS attacks. When exploited by an authenticated user, the identified vulnerabilities could lead to Information Disclosure, Session Hijack, access to Intranet servers, or injecting malicious JavaScript and HTML code to request inappropriate materials 'on behalf' of the user(s) being attacked.
The vulnerable resources include edit.do, PatternFlow$viewReadOnly.flo, ComplianceFlow$edit.flo, saveSpamSettings.do and saveSpamSettings.do, as shown below: url_placeholder/edit.do?userID=%3Cscript%3Ealert(%27xss%27)%3C/script%3E
Symantec Brightmail Gateway Appliance 8300 - All versions prior to 8.0.1Symantec Mail Security Appliance 8200/8300 - All versions
Mitigation
Vendor recommends upgrading
to Symantec Brightmail Gateway version 8.0.1 or later.
Alternatively, please contact Symantec for
technical support.
Disclosure Timeline 25 January 2009: Vulnerabilities discovered and documented 28 January 2009: Vendor notified 02 February 2009: Vendor confirmed receiving the original reports 08 February 2009: Vendor confirmed the identified vulnerabilities 23 April 2009: Vendor released patches for reported vulnerabilities 23 February 2010: Current advisory published MVSA-09-002
Dr. Marian
Ventuneac
|
Security Advisories >