Vulnerability Note VU#274244
Blue Coat Malware Analysis appliance contains a cross-site scripting (XSS) vulnerability and information disclosure
Original Release date: 14 Apr 2015 | Last revised: 17 Apr 2015

Overview
The Blue Coat Malware Analysis appliance is vulnerable to cross-site scripting (XSS) and information disclosure.

Description
The Blue Coat Malware Analysis appliance is a sandboxed appliance that scans for threats in files and downloads on the network.
A cross-site scripting vulnerability exists in search.php of the appliance. This vulnerability has been assigned CVE-2015-0937.

An information disclosure vulnerability exists in search.php of the appliance. By use of a specialized URL parameter, this vulnerability allows a user to search for and obtain a list of documents meeting certain keywords, even if those documents are private. This vulnerability has been assigned CVE-2015-0938.

These vulnerabilities have been observed in version 4.2.3.20150129-RELEASE; other releases may also be affected. For more information, please see Blue Coat’s security advisory SA94..

The CVSS score below is based on CVE-2015-0937.

Impact
The cross-site scripting vulnerability may allow compromise of user credentials. The information disclosure vulnerability may allow private file data to be obtained by unauthorized users.

Solution
Update software

Blue Coat has addressed these vulnerabilities in version 4.2.4.20150312-RELEASE. Affected users are suggested to upgrade as soon as possible.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedBlue Coat SystemsAffected02 Feb 201507 Apr 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal
5.2
E:POC/RL:U/RC:C

Environmental
3.9
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

https://bto.bluecoat.com/security-advisory/sa94

Credit
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2015-0937
CVE-2015-0938

Date Public:
14 Apr 2015

Date First Published:
14 Apr 2015

Date Last Updated:
17 Apr 2015

Document Revision:
27

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply