cnvd - cnvd-2018-04070

CNVD-2018-04070

Vulnerability from cnvd - Published: 2018-03-01

Title

Symantec ASG and ProxySG跨站脚本漏洞

Description

Symantec Advanced Secure Gateway（ASG）和ProxySG都是美国赛门铁克（Symantec）公司的安全网关设备。management console是其中的一个管理控制台。 Symantec ASG和ProxySG中的management console存在跨站脚本漏洞。远程攻击者可通过使用特制的管理控制台利用该漏洞向管理控制台的Web客户端应用程序注入任意的JavaScript代码。

Severity

中

Patch Name

Symantec ASG and ProxySG跨站脚本漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.symantec.com/security-center/network-protection-security-advisories/SA155

Reference

https://www.symantec.com/security-center/network-protection-security-advisories/SA155 https://www.securityfocus.com/bid/102447

Impacted products

Name
['Symantec ProxySG 6.6', 'Symantec Advanced Secure Gateway 6.6', 'Symantec Advanced Secure Gateway 6.7，<6.7.2.1', 'Symantec ProxySG 6.5，<6.5.10.6', 'Symantec ProxySG 6.7，<6.7.2.1']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "102447"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-10257"
    }
  },
  "description": "Symantec Advanced Secure Gateway\uff08ASG\uff09\u548cProxySG\u90fd\u662f\u7f8e\u56fd\u8d5b\u95e8\u94c1\u514b\uff08Symantec\uff09\u516c\u53f8\u7684\u5b89\u5168\u7f51\u5173\u8bbe\u5907\u3002management console\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7ba1\u7406\u63a7\u5236\u53f0\u3002\r\n\r\nSymantec ASG\u548cProxySG\u4e2d\u7684management console\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u4f7f\u7528\u7279\u5236\u7684\u7ba1\u7406\u63a7\u5236\u53f0\u5229\u7528\u8be5\u6f0f\u6d1e\u5411\u7ba1\u7406\u63a7\u5236\u53f0\u7684Web\u5ba2\u6237\u7aef\u5e94\u7528\u7a0b\u5e8f\u6ce8\u5165\u4efb\u610f\u7684JavaScript\u4ee3\u7801\u3002",
  "discovererName": "Jakub Pa\u0142aczy\u0144ski and Pawel Bartunek",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.symantec.com/security-center/network-protection-security-advisories/SA155",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-04070",
  "openTime": "2018-03-01",
  "patchDescription": "Symantec Advanced Secure Gateway\uff08ASG\uff09\u548cProxySG\u90fd\u662f\u7f8e\u56fd\u8d5b\u95e8\u94c1\u514b\uff08Symantec\uff09\u516c\u53f8\u7684\u5b89\u5168\u7f51\u5173\u8bbe\u5907\u3002management console\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7ba1\u7406\u63a7\u5236\u53f0\u3002\r\n\r\nSymantec ASG\u548cProxySG\u4e2d\u7684management console\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u4f7f\u7528\u7279\u5236\u7684\u7ba1\u7406\u63a7\u5236\u53f0\u5229\u7528\u8be5\u6f0f\u6d1e\u5411\u7ba1\u7406\u63a7\u5236\u53f0\u7684Web\u5ba2\u6237\u7aef\u5e94\u7528\u7a0b\u5e8f\u6ce8\u5165\u4efb\u610f\u7684JavaScript\u4ee3\u7801\u3002\r\n\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Symantec ASG and ProxySG\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Symantec ProxySG 6.6",
      "Symantec Advanced Secure Gateway 6.6",
      "Symantec Advanced Secure Gateway 6.7\uff0c\u003c6.7.2.1",
      "Symantec ProxySG 6.5\uff0c\u003c6.5.10.6",
      "Symantec ProxySG 6.7\uff0c\u003c6.7.2.1"
    ]
  },
  "referenceLink": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155\r\nhttps://www.securityfocus.com/bid/102447",
  "serverity": "\u4e2d",
  "submitTime": "2018-01-11",
  "title": "Symantec ASG and ProxySG\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2016-10257 (GCVE-0-2016-10257)

Vulnerability from cvelistv5 – Published: 2018-01-10 02:00 – Updated: 2024-09-16 18:39

Summary

The Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 (prior to 6.7.2.1), ProxySG 6.5 (prior to 6.5.10.6), ProxySG 6.6, and ProxySG 6.7 (prior to 6.7.2.1) management console is susceptible to a reflected XSS vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code into the management console web client application. This is a separate vulnerability from CVE-2016-10256.

Severity ?

No CVSS data available.

CWE

Reflected XSS

Assigner

symantec

References

URL

Tags

	http://www.securitytracker.com/id/1040138	vdb-entryx_refsource_SECTRACK
	https://www.symantec.com/security-center/network-…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/102447	vdb-entryx_refsource_BID

Impacted products

Vendor

Product

Version

Symantec Corporation

ASG

Affected: 6.6
Affected: 6.7 prior to 6.7.2.1

Symantec Corporation

ProxySG

Affected: 6.5 prior to 6.5.10.6
Affected: 6.6
Affected: 6.7 prior to 6.7.2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T03:14:42.820Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1040138",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040138"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155"
          },
          {
            "name": "102447",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102447"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ASG",
          "vendor": "Symantec Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "status": "affected",
              "version": "6.7 prior to 6.7.2.1"
            }
          ]
        },
        {
          "product": "ProxySG",
          "vendor": "Symantec Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "6.5 prior to 6.5.10.6"
            },
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "status": "affected",
              "version": "6.7 prior to 6.7.2.1"
            }
          ]
        }
      ],
      "datePublic": "2018-01-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 (prior to 6.7.2.1), ProxySG 6.5 (prior to 6.5.10.6), ProxySG 6.6, and ProxySG 6.7 (prior to 6.7.2.1) management console is susceptible to a reflected XSS vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code into the management console web client application. This is a separate vulnerability from CVE-2016-10256."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Reflected XSS",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-11T10:57:01",
        "orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5",
        "shortName": "symantec"
      },
      "references": [
        {
          "name": "1040138",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040138"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155"
        },
        {
          "name": "102447",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102447"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@symantec.com",
          "DATE_PUBLIC": "2018-01-09T00:00:00",
          "ID": "CVE-2016-10257",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ASG",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.6"
                          },
                          {
                            "version_value": "6.7 prior to 6.7.2.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "ProxySG",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.5 prior to 6.5.10.6"
                          },
                          {
                            "version_value": "6.6"
                          },
                          {
                            "version_value": "6.7 prior to 6.7.2.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Symantec Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 (prior to 6.7.2.1), ProxySG 6.5 (prior to 6.5.10.6), ProxySG 6.6, and ProxySG 6.7 (prior to 6.7.2.1) management console is susceptible to a reflected XSS vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code into the management console web client application. This is a separate vulnerability from CVE-2016-10256."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Reflected XSS"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1040138",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040138"
            },
            {
              "name": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155",
              "refsource": "CONFIRM",
              "url": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155"
            },
            {
              "name": "102447",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102447"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5",
    "assignerShortName": "symantec",
    "cveId": "CVE-2016-10257",
    "datePublished": "2018-01-10T02:00:00Z",
    "dateReserved": "2017-03-23T00:00:00",
    "dateUpdated": "2024-09-16T18:39:51.797Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-04070

CVE-2016-10257 (GCVE-0-2016-10257)

Tags

Sightings

Nomenclature