Details of VAR-200804-0173

ID

VAR-200804-0173

CVE

CVE-2008-2030

TITLE

F5 FirePass 4100 SSL VPN of installControl.php3 Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2008-003022

DESCRIPTION

Cross-site scripting (XSS) vulnerability in installControl.php3 in F5 FirePass 4100 SSL VPN 5.4.2-5.5.2 and 6.0-6.2 allows remote attackers to inject arbitrary web script or HTML via the query string. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks. FirePass 4100 SSL VPN Firmware 5.4.2-5.5.2 and 6.0-6.2 are vulnerable. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 3 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. Input passed via the URL to the "installControl.php3" script is not properly sanitised before being returned to the user. SOLUTION: Do not follow untrusted links. Filter malicious characters and character sequences using a proxy. PROVIDED AND/OR DISCOVERED BY: Alberto Cuesta Partida, 514.es ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2008-2030 // JVNDB: JVNDB-2008-003022 // BID: 28902 // VULHUB: VHN-32155 // PACKETSTORM: 65884

AFFECTED PRODUCTS

vendor:	f5	model:	firepass ssl vpn	scope:	eq	version:	5.4.2	Trust: 1.6
vendor:	f5	model:	firepass ssl vpn	scope:	eq	version:	5.5.2	Trust: 1.6
vendor:	f5	model:	firepass ssl vpn	scope:	eq	version:	6.2	Trust: 1.6
vendor:	f5	model:	firepass ssl vpn	scope:	eq	version:	6.0	Trust: 1.6
vendor:	f5	model:	firepass 4100	scope:	-	version:	-	Trust: 1.4
vendor:	f5	model:	firepass 4100	scope:	eq	version:	*	Trust: 1.0
vendor:	f5	model:	firepass ssl vpn	scope:	eq	version:	5.4.2 to 5.5.2	Trust: 0.8
vendor:	f5	model:	firepass ssl vpn	scope:	eq	version:	and 6.0 to 6.2	Trust: 0.8
vendor:	f5	model:	firepass	scope:	eq	version:	41000	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	6.0.2	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	6.0.1	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	5.5.2	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	5.4.1	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	6.0	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	5.4	Trust: 0.3
vendor:	f5	model:	firepass	scope:	ne	version:	6.0.2.3	Trust: 0.3

sources: BID: 28902 // JVNDB: JVNDB-2008-003022 // CNNVD: CNNVD-200804-447 // NVD: CVE-2008-2030

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2008-2030
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2008-2030
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200804-447
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-32155
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2008-2030
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-32155
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-32155 // JVNDB: JVNDB-2008-003022 // CNNVD: CNNVD-200804-447 // NVD: CVE-2008-2030

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-32155 // JVNDB: JVNDB-2008-003022 // NVD: CVE-2008-2030

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200804-447

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 65884 // CNNVD: CNNVD-200804-447

CONFIGURATIONS

sources: JVNDB: JVNDB-2008-003022

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-32155

PATCH

title:

Top Page

url:

http://www.f5.com/products/firepass/

Trust: 0.8

sources: JVNDB: JVNDB-2008-003022

EXTERNAL IDS

db:	NVD	id:	CVE-2008-2030	Trust: 2.8
db:	BID	id:	28902	Trust: 2.0
db:	SECUNIA	id:	29931	Trust: 1.8
db:	JVNDB	id:	JVNDB-2008-003022	Trust: 0.8
db:	CNNVD	id:	CNNVD-200804-447	Trust: 0.7
db:	XF	id:	42078	Trust: 0.6
db:	EXPLOIT-DB	id:	31698	Trust: 0.1
db:	SEEBUG	id:	SSVID-85013	Trust: 0.1
db:	VULHUB	id:	VHN-32155	Trust: 0.1
db:	PACKETSTORM	id:	65884	Trust: 0.1

sources: VULHUB: VHN-32155 // BID: 28902 // JVNDB: JVNDB-2008-003022 // PACKETSTORM: 65884 // CNNVD: CNNVD-200804-447 // NVD: CVE-2008-2030

REFERENCES

url:	http://www.securityfocus.com/bid/28902	Trust: 1.7
url:	http://downloads.securityfocus.com/vulnerabilities/exploits/28902.html	Trust: 1.7
url:	http://secunia.com/advisories/29931	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/42078	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2030	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-2030	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/42078	Trust: 0.6
url:	http://f5.com/products/firepass/	Trust: 0.3
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/network_software_inspector_2/	Trust: 0.1
url:	http://secunia.com/product/4695/	Trust: 0.1
url:	http://secunia.com/advisories/29931/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/product/13146/	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-32155 // BID: 28902 // JVNDB: JVNDB-2008-003022 // PACKETSTORM: 65884 // CNNVD: CNNVD-200804-447 // NVD: CVE-2008-2030

CREDITS

Alberto Cuesta Partida

Trust: 0.6

sources: CNNVD: CNNVD-200804-447

SOURCES

db:	VULHUB	id:	VHN-32155
db:	BID	id:	28902
db:	JVNDB	id:	JVNDB-2008-003022
db:	PACKETSTORM	id:	65884
db:	CNNVD	id:	CNNVD-200804-447
db:	NVD	id:	CVE-2008-2030

LAST UPDATE DATE

2024-11-23T22:32:03.688000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-32155	date:	2017-08-08T00:00:00
db:	BID	id:	28902	date:	2015-05-07T17:29:00
db:	JVNDB	id:	JVNDB-2008-003022	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200804-447	date:	2008-09-05T00:00:00
db:	NVD	id:	CVE-2008-2030	date:	2024-11-21T00:45:55.730

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-32155	date:	2008-04-30T00:00:00
db:	BID	id:	28902	date:	2008-04-23T00:00:00
db:	JVNDB	id:	JVNDB-2008-003022	date:	2012-06-26T00:00:00
db:	PACKETSTORM	id:	65884	date:	2008-04-28T22:12:57
db:	CNNVD	id:	CNNVD-200804-447	date:	2008-04-30T00:00:00
db:	NVD	id:	CVE-2008-2030	date:	2008-04-30T16:17:00