FKIE_CVE-2014-9711

Vulnerability from fkie_nvd - Published: 2015-03-25 14:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the Investigative Reports in Websense TRITON AP-WEB before 8.0.0 and Web Security and Filter, Web Security Gateway, and Web Security Gateway Anywhere 7.8.3 before Hotfix 02 and 7.8.4 before Hotfix 01 allow remote attackers to inject arbitrary web script or HTML via the (1) ReportName (Job Name) parameter to the Explorer report scheduler (cgi-bin/WsCgiExplorerSchedule.exe) in the Job Queue or the col parameter to the (2) Names or (3) Anonymous (explorer_wse/explorer_anon.exe) summary report page.
References
cve@mitre.orghttp://packetstormsecurity.com/files/130903/Websense-Explorer-Report-Scheduler-Cross-Site-Scripting.htmlExploit
cve@mitre.orghttp://packetstormsecurity.com/files/130905/Websense-Reporting-Cross-Site-Scripting.htmlExploit
cve@mitre.orghttp://seclists.org/fulldisclosure/2015/Mar/109
cve@mitre.orghttp://seclists.org/fulldisclosure/2015/Mar/110
cve@mitre.orghttp://www.securityfocus.com/archive/1/534915/100/0/threaded
cve@mitre.orghttp://www.securityfocus.com/archive/1/534917/100/0/threaded
cve@mitre.orghttp://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0Vendor Advisory
cve@mitre.orghttp://www.websense.com/support/article/kbarticle/v7-8-3-About-Hotfix-02-for-Web-Security-SolutionsVendor Advisory
cve@mitre.orghttp://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-01-for-Web-Security-SolutionsVendor Advisory
cve@mitre.orghttps://www.securify.nl/advisory/SFY20140911/cross_site_scripting_vulnerability_in_websense_explorer_report_scheduler.htmlExploit
cve@mitre.orghttps://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.htmlExploit
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/130903/Websense-Explorer-Report-Scheduler-Cross-Site-Scripting.htmlExploit
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/130905/Websense-Reporting-Cross-Site-Scripting.htmlExploit
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2015/Mar/109
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2015/Mar/110
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/archive/1/534915/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/archive/1/534917/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.websense.com/support/article/kbarticle/v7-8-3-About-Hotfix-02-for-Web-Security-SolutionsVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-01-for-Web-Security-SolutionsVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.securify.nl/advisory/SFY20140911/cross_site_scripting_vulnerability_in_websense_explorer_report_scheduler.htmlExploit
af854a3a-2127-422b-91ae-364da2661108https://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.htmlExploit
Impacted products
Vendor Product Version
websense triton_ap_web *
websense triton_web_filter *
websense triton_web_security *
websense triton_web_security_gateway *
websense triton_web_security_gateway_anywhere *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:websense:triton_ap_web:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5078B495-2891-465E-BFA2-9A5C9EB8D557",
              "versionEndIncluding": "7.8.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:websense:triton_web_filter:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8BA2ABEB-3229-47D9-8261-564CC112B0C4",
              "versionEndIncluding": "7.8.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:websense:triton_web_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "79BB7648-75D8-4E40-9FE2-FC404B3A05F3",
              "versionEndIncluding": "7.8.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:websense:triton_web_security_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3AEDFA8-81D6-4387-AEEC-3FF313A6F84A",
              "versionEndIncluding": "7.8.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:websense:triton_web_security_gateway_anywhere:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A238CA94-63D1-4F60-BBAE-F5A5554F0759",
              "versionEndIncluding": "7.8.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple cross-site scripting (XSS) vulnerabilities in the Investigative Reports in Websense TRITON AP-WEB before 8.0.0 and Web Security and Filter, Web Security Gateway, and Web Security Gateway Anywhere 7.8.3 before Hotfix 02 and 7.8.4 before Hotfix 01 allow remote attackers to inject arbitrary web script or HTML via the (1) ReportName (Job Name) parameter to the Explorer report scheduler (cgi-bin/WsCgiExplorerSchedule.exe) in the Job Queue or the col parameter to the (2) Names or (3) Anonymous (explorer_wse/explorer_anon.exe) summary report page."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de XSS en los informes investigativos en Websense TRITON AP-WEB anterior a 8.0.0 y Web Security and Filter, Web Security Gateway, y Web Security Gateway Anywhere 7.8.3 anterior a Hotfix 02 y 7.8.4 anterior a Hotfix 01 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s (1) del par\u00e1metro ReportName (Job Name) en el planificador de informes de Explorer (cgi-bin/WsCgiExplorerSchedule.exe) en la cola de tareas o el par\u00e1metro col en la p\u00e1gina de informes de res\u00famenes (2) nombres (Names) o (3) an\u00f3nimos (Anonymous) (explorer_wse/explorer_anon.exe)."
    }
  ],
  "id": "CVE-2014-9711",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2015-03-25T14:59:00.063",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://packetstormsecurity.com/files/130903/Websense-Explorer-Report-Scheduler-Cross-Site-Scripting.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://packetstormsecurity.com/files/130905/Websense-Reporting-Cross-Site-Scripting.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://seclists.org/fulldisclosure/2015/Mar/109"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://seclists.org/fulldisclosure/2015/Mar/110"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/534915/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/534917/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.websense.com/support/article/kbarticle/v7-8-3-About-Hotfix-02-for-Web-Security-Solutions"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-01-for-Web-Security-Solutions"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "https://www.securify.nl/advisory/SFY20140911/cross_site_scripting_vulnerability_in_websense_explorer_report_scheduler.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "https://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://packetstormsecurity.com/files/130903/Websense-Explorer-Report-Scheduler-Cross-Site-Scripting.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://packetstormsecurity.com/files/130905/Websense-Reporting-Cross-Site-Scripting.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/fulldisclosure/2015/Mar/109"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/fulldisclosure/2015/Mar/110"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/534915/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/534917/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.websense.com/support/article/kbarticle/v7-8-3-About-Hotfix-02-for-Web-Security-Solutions"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-01-for-Web-Security-Solutions"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://www.securify.nl/advisory/SFY20140911/cross_site_scripting_vulnerability_in_websense_explorer_report_scheduler.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.