Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Blue Coat Malware Analysis appliance contains a cross-site scripting (XSS) vulnerability and information disclosure
Informations
Name VU#274244 First vendor Publication 2015-04-14
Vendor VU-CERT Last vendor Modification 2015-04-17
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#274244

Blue Coat Malware Analysis appliance contains a cross-site scripting (XSS) vulnerability and information disclosure

Original Release date: 14 Apr 2015 | Last revised: 17 Apr 2015

Overview

The Blue Coat Malware Analysis appliance is vulnerable to cross-site scripting (XSS) and information disclosure.

Description

The Blue Coat Malware Analysis appliance is a sandboxed appliance that scans for threats in files and downloads on the network.

A cross-site scripting vulnerability exists in search.php of the appliance. This vulnerability has been assigned CVE-2015-0937.

An information disclosure vulnerability exists in search.php of the appliance. By use of a specialized URL parameter, this vulnerability allows a user to search for and obtain a list of documents meeting certain keywords, even if those documents are private. This vulnerability has been assigned CVE-2015-0938.

These vulnerabilities have been observed in version 4.2.3.20150129-RELEASE; other releases may also be affected. For more information, please see Blue Coat's security advisory SA94..

The CVSS score below is based on CVE-2015-0937.

Impact

The cross-site scripting vulnerability may allow compromise of user credentials. The information disclosure vulnerability may allow private file data to be obtained by unauthorized users.

Solution

Update software

Blue Coat has addressed these vulnerabilities in version 4.2.4.20150312-RELEASE. Affected users are suggested to upgrade as soon as possible.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Blue Coat SystemsAffected02 Feb 201507 Apr 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base5.8AV:N/AC:M/Au:N/C:P/I:P/A:N
Temporal5.2E:POC/RL:U/RC:C
Environmental3.9CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://bto.bluecoat.com/security-advisory/sa94

Credit

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2015-0937CVE-2015-0938
  • Date Public:14 Apr 2015
  • Date First Published:14 Apr 2015
  • Date Last Updated:17 Apr 2015
  • Document Revision:27

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/274244

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-200 Information Exposure
50 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2015-04-17 21:31:30
  • Multiple Updates
2015-04-17 17:25:04
  • Multiple Updates
2015-04-17 09:32:43
  • Multiple Updates
2015-04-14 17:24:26
  • First insertion