Details of VAR-201406-0306

ID

VAR-201406-0306

CVE

CVE-2014-3289

TITLE

Cisco AsyncOS contains a reflected cross-site scripting (XSS) vulnerability

Trust: 0.8

sources: CERT/CC: VU#613308

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the web management interface in Cisco AsyncOS on the Email Security Appliance (ESA) 8.0, Web Security Appliance (WSA) 8.0 (.5 Hot Patch 1) and earlier, and Content Security Management Appliance (SMA) 8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, as demonstrated by the date_range parameter to monitor/reports/overview on the IronPort ESA, aka Bug IDs CSCun07998, CSCun07844, and CSCun07888. Cisco AsyncOS Multiple products that run on have cross-site scripting vulnerabilities. Cisco AsyncOS Multiple products that run on the date_range Cross-site scripting vulnerability due to parameters (CWE-79) Exists. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') http://cwe.mitre.org/data/definitions/79.htmlAn arbitrary script may be executed on the user's web browser. The Cisco IronPort family of products is a widely used mail encryption gateway, and AsyncOS is the operating system used by the product. The vulnerability stems from a program failing to properly filter user-supplied input. An attacker could exploit this vulnerability to execute arbitrary code in the context of the affected site user's browser, stealing cookie-based authentication credentials. And launch other attacks. This issue is being tracked by Cisco Bug IDs CSCun07998, CSCun07844 and CSCun07888. Cisco AsyncOS on Email Security Appliance (ESA) and others are products of Cisco (Cisco). Cisco ESA is an email security appliance. Cisco Content Security Management Appliance (SMA) is a content security management appliance. Cisco Web Security Appliance (WSA) is a set of network security appliances

Trust: 3.24

sources: NVD: CVE-2014-3289 // CERT/CC: VU#613308 // JVNDB: JVNDB-2014-002803 // CNVD: CNVD-2014-03650 // BID: 67943 // VULHUB: VHN-71229

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-03650

AFFECTED PRODUCTS

vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	8.0	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	ironport asyncos	scope:	lte	version:	8.3	Trust: 1.0
vendor:	cisco	model:	email security appliance	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	ironport asyncos	scope:	lte	version:	8.0	Trust: 1.0
vendor:	cisco	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	e email security the appliance	scope:	lte	version:	(esa) 8.0	Trust: 0.8
vendor:	cisco	model:	web security the appliance	scope:	lte	version:	(wsa) 8.0	Trust: 0.8
vendor:	cisco	model:	content security management appliance	scope:	lte	version:	(sma) 8.3	Trust: 0.8
vendor:	cisco	model:	ironport asyncos software	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	email security appliance	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	8.3	Trust: 0.6

sources: CERT/CC: VU#613308 // CNVD: CNVD-2014-03650 // JVNDB: JVNDB-2014-002803 // CNNVD: CNNVD-201406-171 // NVD: CVE-2014-3289

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-3289
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-3289
value:	MEDIUM
Trust: 0.8
IPA:	JVNDB-2014-002803
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-03650
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201406-171
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-71229
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-3289
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2014-3289
severity:	MEDIUM
baseScore:	4.3
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
IPA:	JVNDB-2014-002803
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2014-03650
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-71229
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#613308 // CNVD: CNVD-2014-03650 // VULHUB: VHN-71229 // JVNDB: JVNDB-2014-002803 // CNNVD: CNNVD-201406-171 // NVD: CVE-2014-3289

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-71229 // JVNDB: JVNDB-2014-002803 // NVD: CVE-2014-3289

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-171

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201406-171

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002803

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#613308

PATCH

title:	Cisco AsyncOS Cross-Site Scripting Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289	Trust: 0.8
title:	34569	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=34569	Trust: 0.8
title:	Patch for Cisco AsyncOS Software Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/46394	Trust: 0.6

sources: CNVD: CNVD-2014-03650 // JVNDB: JVNDB-2014-002803

EXTERNAL IDS

db:	NVD	id:	CVE-2014-3289	Trust: 4.2
db:	CERT/CC	id:	VU#613308	Trust: 2.7
db:	BID	id:	67943	Trust: 2.0
db:	SECUNIA	id:	58296	Trust: 1.1
db:	PACKETSTORM	id:	127004	Trust: 1.1
db:	SECTRACK	id:	1030407	Trust: 1.1
db:	JVN	id:	JVNVU98777725	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-002803	Trust: 0.8
db:	CNNVD	id:	CNNVD-201406-171	Trust: 0.7
db:	CNVD	id:	CNVD-2014-03650	Trust: 0.6
db:	FULLDISC	id:	20140609 CISCO ASYNCOS CROSS-SITE SCRIPTING VULNERABILITY CVE-2014-3289	Trust: 0.6
db:	CISCO	id:	20140609 CISCO ASYNCOS CROSS-SITE SCRIPTING VULNERABILITY	Trust: 0.6
db:	VULHUB	id:	VHN-71229	Trust: 0.1

sources: CERT/CC: VU#613308 // CNVD: CNVD-2014-03650 // VULHUB: VHN-71229 // BID: 67943 // JVNDB: JVNDB-2014-002803 // CNNVD: CNNVD-201406-171 // NVD: CVE-2014-3289

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-3289	Trust: 3.3
url:	http://www.kb.cert.org/vuls/id/613308	Trust: 1.9
url:	http://www.securityfocus.com/bid/67943	Trust: 1.7
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=34569	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2014/jun/57	Trust: 1.7
url:	http://packetstormsecurity.com/files/127004/cisco-ironport-email-security-virtual-appliance-8.0.0-671-xss.html	Trust: 1.1
url:	http://www.securitytracker.com/id/1030407	Trust: 1.1
url:	http://secunia.com/advisories/58296	Trust: 1.1
url:	http://www.cisco.com/c/en/us/products/security/email-security-appliance/asyncos_index.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/79.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3289	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu98777725/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3289	Trust: 0.8
url:	www.cisco.com	Trust: 0.3

sources: CERT/CC: VU#613308 // CNVD: CNVD-2014-03650 // VULHUB: VHN-71229 // BID: 67943 // JVNDB: JVNDB-2014-002803 // CNNVD: CNNVD-201406-171 // NVD: CVE-2014-3289

CREDITS

Cisco

Trust: 0.3

sources: BID: 67943

SOURCES

db:	CERT/CC	id:	VU#613308
db:	CNVD	id:	CNVD-2014-03650
db:	VULHUB	id:	VHN-71229
db:	BID	id:	67943
db:	JVNDB	id:	JVNDB-2014-002803
db:	CNNVD	id:	CNNVD-201406-171
db:	NVD	id:	CVE-2014-3289

LAST UPDATE DATE

2024-11-23T22:39:01.031000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#613308	date:	2014-06-10T00:00:00
db:	CNVD	id:	CNVD-2014-03650	date:	2014-06-13T00:00:00
db:	VULHUB	id:	VHN-71229	date:	2018-10-30T00:00:00
db:	BID	id:	67943	date:	2014-06-10T05:43:00
db:	JVNDB	id:	JVNDB-2014-002803	date:	2014-06-11T00:00:00
db:	CNNVD	id:	CNNVD-201406-171	date:	2014-06-11T00:00:00
db:	NVD	id:	CVE-2014-3289	date:	2024-11-21T02:07:47.950

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#613308	date:	2014-06-10T00:00:00
db:	CNVD	id:	CNVD-2014-03650	date:	2014-06-13T00:00:00
db:	VULHUB	id:	VHN-71229	date:	2014-06-10T00:00:00
db:	BID	id:	67943	date:	2014-06-09T00:00:00
db:	JVNDB	id:	JVNDB-2014-002803	date:	2014-06-11T00:00:00
db:	CNNVD	id:	CNNVD-201406-171	date:	2014-06-11T00:00:00
db:	NVD	id:	CVE-2014-3289	date:	2014-06-10T11:19:35.797