I. VULNERABILITY ------------------------- Reflected XSS Attacks vulnerabilities in Cisco Ironport Email Security Virtual Appliance Version: 8.0.0-671
II. BACKGROUND ------------------------- Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, that designs, manufactures, and sells networking equipment. III. DESCRIPTION ------------------------- Has been detected a Reflected XSS vulnerability in Cisco Ironport Email Security Virtual appliance. The code injection is done through the parameter "date_range" in the page “ /monitor/reports/overview?printable=False&date_range” IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter “date_range” correctly. https://ip_cisco_web_security/monitor/reports/overview?printabl e=False&date_range=aaaa<script>alert(2)</script> V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. VI. SYSTEMS AFFECTED ------------------------- Reflected XSS Attacks vulnerabilities in Cisco Ironport Email Security Virtual Appliance Version: 8.0.0-671. VII. SOLUTION ------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289 By William Costa william.co...@gmail.com _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/