mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
151 lines
6.5 KiB
JSON
151 lines
6.5 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2023-6452",
|
|
"ASSIGNER": "psirt@forcepoint.com",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Web Security (Transaction Viewer) allows Stored XSS.\n\n\n\n\n\nThe\n Forcepoint Web Security portal allows administrators to generate \ndetailed reports on user requests made through the Web proxy. It has \nbeen determined that the \"user agent\" field in the Transaction Viewer is\n vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability, \nwhich can be exploited by any user who can route traffic through the \nForcepoint Web proxy.\n\nThis \nvulnerability enables unauthorized attackers to execute JavaScript \nwithin the browser context of a Forcepoint administrator, thereby \nallowing them to perform actions on the administrator's behalf. Such a \nbreach could lead to unauthorized access or modifications, posing a \nsignificant security risk.\n\n\n\n\n\n\nThis issue affects Web Security: before 8.5.6."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
|
|
"cweId": "CWE-79"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Forcepoint",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Web Security",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "not down converted",
|
|
"x_cve_json_5_version_data": {
|
|
"versions": [
|
|
{
|
|
"lessThan": "8.5.6",
|
|
"status": "affected",
|
|
"version": "0",
|
|
"versionType": "semver"
|
|
}
|
|
],
|
|
"defaultStatus": "affected"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://support.forcepoint.com/s/article/000042212",
|
|
"refsource": "MISC",
|
|
"name": "https://support.forcepoint.com/s/article/000042212"
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.2.0"
|
|
},
|
|
"source": {
|
|
"discovery": "UNKNOWN"
|
|
},
|
|
"configuration": [
|
|
{
|
|
"lang": "en",
|
|
"supportingMedia": [
|
|
{
|
|
"base64": false,
|
|
"type": "text/html",
|
|
"value": "The\n User Agent field must be displayed in the Transaction Viewer, it is not by default. Users \nshould avoid adding the User Agent field to the Transaction Viewer until the workaround is implemented or Web Security is upgraded to version 8.5.6 or later."
|
|
}
|
|
],
|
|
"value": "The\n User Agent field must be displayed in the Transaction Viewer, it is not by default. Users \nshould avoid adding the User Agent field to the Transaction Viewer until the workaround is implemented or Web Security is upgraded to version 8.5.6 or later."
|
|
}
|
|
],
|
|
"work_around": [
|
|
{
|
|
"lang": "en",
|
|
"supportingMedia": [
|
|
{
|
|
"base64": false,
|
|
"type": "text/html",
|
|
"value": "<p>\nUsers \nshould avoid adding the User Agent field to the Transaction Viewer until the workaround is implemented or Web Security is upgraded to version 8.5.6 or later.\n\n\n\n</p>"
|
|
}
|
|
],
|
|
"value": "Users \nshould avoid adding the User Agent field to the Transaction Viewer until the workaround is implemented or Web Security is upgraded to version 8.5.6 or later."
|
|
}
|
|
],
|
|
"solution": [
|
|
{
|
|
"lang": "en",
|
|
"supportingMedia": [
|
|
{
|
|
"base64": false,
|
|
"type": "text/html",
|
|
"value": "<p>Customers should update to version 8.5.6 or follow the steps outlined in <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.forcepoint.com/s/article/000042212\">https://support.forcepoint.com/s/article/000042212</a> for version 8.5.5.</p>"
|
|
}
|
|
],
|
|
"value": "Customers should update to version 8.5.6 or follow the steps outlined in\u00a0 https://support.forcepoint.com/s/article/000042212 \u00a0for version 8.5.5."
|
|
}
|
|
],
|
|
"credits": [
|
|
{
|
|
"lang": "en",
|
|
"value": "Jasper Westerman"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "Yanick de Pater"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "Harm Blankers from REQON"
|
|
}
|
|
],
|
|
"impact": {
|
|
"cvss": [
|
|
{
|
|
"attackComplexity": "LOW",
|
|
"attackVector": "NETWORK",
|
|
"availabilityImpact": "HIGH",
|
|
"baseScore": 9.6,
|
|
"baseSeverity": "CRITICAL",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"privilegesRequired": "NONE",
|
|
"scope": "CHANGED",
|
|
"userInteraction": "REQUIRED",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
|
|
"version": "3.1"
|
|
}
|
|
]
|
|
}
|
|
} |