Vulnerability Note VU#719172
Symantec Web Gateway contains SQL injection and cross-site scripting vulnerabilities
Symantec Web Gateway 126.96.36.199, and possibly earlier versions, contains cross-site scripting and SQL injection vulnerabilities.
CVE-2014-1652 - CWE-79: Improper Neutralization of Input During Web Page Generation
Symantec Web Gateway 188.8.131.52, and possibly earlier versions, contains a cross-site scripting vulnerability in the filter_date_period, variable and operator parameters of the /spywall/entSummary.php, /spywall/custom_report.php, /spywall/host_spy_report.php and /spywall/repairedclients.php pages.
A remote unauthenticated attacker may be able to inject arbitrary script or SQL commands.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Symantec||Affected||25 Feb 2014||17 Jun 2014|
CVSS Metrics (Learn More)
Thanks to Min1214 of INFOSEC Inc. working through KrCERT/CC for reporting these vulnerabilities.
This document was written by Jared Allar.
- CVE IDs: CVE-2014-1652 CVE-2014-1651
- Date Public: 16 Jun 2014
- Date First Published: 17 Jun 2014
- Date Last Updated: 17 Jun 2014
- Document Revision: 12
If you have feedback, comments, or additional information about this vulnerability, please send us email.