Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0542 FSC-2014-2: Cross-site Scripting Vulnerability 22 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F-Secure Messaging Secure Gateway Publisher: F-Secure Operating System: VMware ESX Server Network Appliance Impact/Access: Cross-site Scripting -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-2844 Original Bulletin: http://www.f-secure.com/en/web/labs_global/fsc-2014-2 - --------------------------BEGIN INCLUDED TEXT-------------------- FSC-2014-2: Cross-site Scripting Vulnerability Brief Description An improper validation check on the "new" parameter of the Admin console page of the Messaging Secure Gateway 7.5.0 product causes a cross-site scripting vulnerability. Products Risk Level: Low (Low/Medium/High/Critical) F-Secure Messaging Secure Gateway 7.5.0 Notes A cross-site scripting vulnerability occurs in the Admin console of the Messaging Secure Gateway 7.5.0 product if an unterminated script is input to the "new" parameter which is used to create new users. Successful exploitation could result in creation of a new Administrator user account. This issue has been assigned the identifier CVE-2014-2844. Mitigating Factor An administrator account is needed prior to successfully exploiting the vulnerability. The exploit only works on Internet Explorer and Firefox. Fix Available Product Versions Download F-Secure Messaging Secure Gateway 7.5.0 Patch 1862 has been applied to all F-Secure Messaging Secure Gateway clusters. 1. Verify that patch has been installed. Credits F-Secure Corporation would like to thank Mr. William Costa for bringing this issue to our attention. Advisory Changes Date Changes 16th April First advisory published. 17th April Clarified Mitigating Factor. Date Issued: 2014-04-16 Date Last Updated: 2014-04-17 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU1XrOBLndAQH1ShLAQITVRAAlaAbGOCR4NxiH/4ULvV1FbogC/fsJ+TY o0rw+XV8YziqBUmaD2PcFaQ6Hc3ETd2S5Z4Nbniaer9MX/3i7nn1h/Se7qngF79H RlFs9XiRBdL2R45HCW64LXJebLvpPN3g7SPH9/9/k2xw4DbiekO6UVLM/j7rOT/9 QhYpKMQBl/9bMPxO9EJLmyof9O0IvOUksWhzIRk3YPC1eAyQ4FFZwLEP/3Td+YP8 1fV97izj/MYrKKiF3BHlgC9Xh/cJ5yXKLEuao/b87XCqYWBjXEYeSZwoAYcmSH2x Lf/UDH7aoWZxa9DsVTR1FXi4GNEt8cHx0RUUo0Tu3rZ2CxIZPv1t8mcXLdQLciPx bRmJ2wvH42xCSmRUAITLvMXQaL9bNPns8zaUYogJ97n4x/JrNbY7svQzKIMhY0rE IThrpjIEdLn8wHD9ua1oCkscqh/mKCyHoSdA5LkWZcPT00me/1n9yfO28oqPcORb heBoIAlGADoQrl/ah9KLFR5MHvvVwEvT8HBBRi2m3R6JkiW5kBTjnanKfnQBxi8D C37IS1H7zfw/CEDMIXzxLO8/O5sZZyeWuPpfa4bBhSzpR8x3pvVxBquQj3cZJ2m/ F7fesoUo5set+jrqyL9srGwOvYsP44KQHDLGZNdHvz3uYUah88iKo2GZinzxN/lF 2YC1GuAsfWE= =2Ap4 -----END PGP SIGNATURE-----