Vulnerability Note VU#807134
WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability
Original Release date: 13 Mar 2014 | Last revised: 13 Mar 2014

Overview
WatchGuard Fireware XTM 11.8.1, and possibly earlier versions, contains a cross-site scripting vulnerability.

Description
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
WatchGuard Fireware XTM 11.8.1 contains a cross-site scripting vulnerability in the "poll_name" parameter of the "firewall/policy" page.

Additional details may be found in the WatchGuard advisory.

Impact
A remote attacker that is able to trick a user in to visiting a specially crafted URL may be able to conduct a cross-site scripting attack. This attack may result in information leakage, privilege escalation, and/or denial of service.

Solution
Apply an Update

WatchGuard Fireware XTM 11.8.3 addresses this vulnerability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedWatchguard Technologies, Inc.Affected23 Jan 201413 Mar 2014If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal
3.4
E:POC/RL:OF/RC:C

Environmental
0.8
CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

http://watchguardsecuritycenter.com/2014/03/13/fireware-xtm-11-8-3-update-corrects-xss-flaw/
http://watchguardsecuritycenter.com/2014/03/13/new-release-fireware-xtm-11-8-3-and-wsm-11-8-3/

Credit

Thanks to William Costa for reporting this vulnerability.
This document was written by Jared Allar.

Other Information

CVE IDs:
CVE-2014-0338

Date Public:
13 Mar 2014

Date First Published:
13 Mar 2014

Date Last Updated:
13 Mar 2014

Document Revision:
13

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply