OSVDB ID: 80138

Title: McAfee Email and Web Security Appliance / Email Gateway Unspecified XSS

Info

Disclosure

Mar 15, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Mar 15, 2012

Description

McAfee Email and Web Security Appliance and Email Gateway contain a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the applications do not validate certain unspecified input before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Private
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related, Security Software

Solution

Upgrade Email and Web Security to version 5.5 Patch 6 or 5.6 Patch 3 or higher, and Email Gateway to version 7.0 Patch 1 or higher, as as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

McAfee, Inc.	McAfee Email and Web Security Appliance	5.5 Patch 5
		5.6 Patch 2
	McAfee Email Gateway	7.0

References

Security Tracker: 1026806 1026807
CVE ID: 2012-4580 (see also: NVD)
Secunia Advisory ID: 48406
Related OSVDB ID: 80139 80140 80141 80142 80143 80144
Packet Storm: http://packetstormsecurity.org/files/111353/McAfee-Email-And-Web-Security-Appliance-Cross-Site-Scripting.html
Mail List Post: http://seclists.org/bugtraq/2012/Mar/157
Vendor Specific Advisory URL: https://kc.mcafee.com/corporate/index?page=content&id=SB10020

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/80138

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

McAfee, Inc.

McAfee Email and Web Security Appliance

McAfee Email Gateway

References

Credit