Symantec Web Gateway 126.96.36.199, and possibly earlier versions, contains cross-site scripting and SQL injection vulnerabilities.
CVE-2014-1652 - CWE-79: Improper Neutralization of Input During Web Page Generation
Symantec Web Gateway 188.8.131.52, and possibly earlier versions, contains a cross-site scripting vulnerability in the filter_date_period, variable and operator parameters of the /spywall/entSummary.php, /spywall/custom_report.php, /spywall/host_spy_report.php and /spywall/repairedclients.php pages.
A remote unauthenticated attacker may be able to inject arbitrary script or SQL commands.
Apply an Update
Thanks to Min1214 of INFOSEC Inc. working through KrCERT/CC for reporting these vulnerabilities.
This document was written by Jared Allar.