Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0080
A vulnerability has been reported in Barracuda Message Archiver v3.2
21 July 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Barracuda Message Archiver
Operating System: Network Appliance
Impact/Access: Cross-site Scripting -- Existing Account
Resolution: Patch/Upgrade
Member content until: Wednesday, August 20 2014
OVERVIEW
A vulnerability has been reported in Barracuda Message Archiver v3.2.
[1]
IMPACT
Barracuda has provided the following details regarding these issues:
"Barracuda message Archiver is vulnerable to an authenticated
persistent XSS in the versions listed above. The vulnerability
allows remote attackers to inject persistent malicious script via
the web interface of the device. The attacker must have partial
admin privileges in order to execute the attack. In practice this
vulnerability may be viably exploitable." [1]
MITIGATION
The vendor recommends upgrading to the latest version of the affected
product.
REFERENCES
[1] BNSEC-00703: Remote authenticated persistent XSS in Barracuda
Message Archiver v3.2
https://www.barracuda.com/support/knowledgebase/501600000013lXe
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU8yS/BLndAQH1ShLAQLshQ//aX3fus+hYimcv7FJGoqgWYT8kSlvGzsQ
VFdlPHxiGEMfkZMjy9+fK7el0h1HDZJpZRJqa/KP6OkTnFhvWve9lWwUzgKuHahN
l6MciJVdxB0bDv2RuwPCC3FnWopIT6H0HT+nNuh0IPCjBIVivx7h5v0bqy7/qSCc
Mz97qdpbQgldas96ZUYBUScwvjia3nUnVrQnCoZQS2v9VoChMNmyQvofkdsmMhXk
4VHe2F318MeQT//NwU5K3+Z5xyMIQq0eBvXAIITypELXaHSId7Z8b8cceMveBQ6z
A9Vuen59biNBTZnG1gOhnoM7ugFoW5Et6WJhxnA/SNuzL6T0vQ0DsN7gShxDPrel
llVIiXQPxWba26pciwb1tn/+GNFgU2wMjKff2f58Moy1KslR/+BWu2kcLe8n6MjA
M2yQY63OPwnOrZYas+OqOylrQSVuU2G9Um2OOQ6A7G4+tNaV1hnCYiwJfAzdjJo/
2gWMFPdj2I8+X3qOagwMpaKp+sZz/viuwNq22OxrYc+Sb338nzF8JJOw1Lw69QqL
NxZN8eDYjU8X0v0o3TcvXCsFZ6WQ6PtUZVwiin+NbjfBT/BWwmwNOJFNz7Az4iOe
xHG2kBnxYO33GA92KpmDBlu8FHpgCzSDYhGeiIMQHIXQ4xD6NjIfxy4tTD+59zsN
+CBknin7Vbw=
=guu4
-----END PGP SIGNATURE-----