Websense Triton Unified Security Center 7.7.3 and possibly earlier versions contains an information disclosure vulnerability which could allow an authenticated attacker to view stored credentials of a possibly higher privileged user.
CWE-200: Information Exposure
When logged into the Websense Triton Unified Security Center 7.7.3 and possibly earlier versions with any permission level, it is possible to navigate to the “Log Database” or “User Directories” portions of the “Settings” module. In either section, it is possible to use a web browser to “Inspect Elements” within the page.
An authenticated attacker can view stored credentials of a possibly higher privileged user.
Additional information can be found in Websense V7.7.3 HF31 Manager Password Vulnerability issue advisory.
Thanks to Patrick Kelley of Critical Assets for reporting this vulnerability.
This document was written by Michael Orlando.
|Date First Published:||2014-04-07|
|Date Last Updated:||2014-04-07 17:09 UTC|