cvelistv5 - cve-2013-2643

CVE-2013-2643 (GCVE-0-2013-2643)

Vulnerability from cvelistv5

Published

2014-03-18 14:00

Modified

2024-08-06 15:44

Severity ?

CWE

Summary

References

URL	Tags
cve@mitre.org	http://www.sophos.com/en-us/support/knowledgebase/118969.aspx	Vendor Advisory
cve@mitre.org	https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.sophos.com/en-us/support/knowledgebase/118969.aspx	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt	Exploit

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T15:44:32.619Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-04-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2014-03-18T12:57:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2013-2643",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt",
              "refsource": "MISC",
              "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt"
            },
            {
              "name": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx",
              "refsource": "CONFIRM",
              "url": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2013-2643",
    "datePublished": "2014-03-18T14:00:00",
    "dateReserved": "2013-03-22T00:00:00",
    "dateUpdated": "2024-08-06T15:44:32.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2013-2643\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2014-03-18T17:02:51.887\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component.\"},{\"lang\":\"es\",\"value\":\"M\u00faltiples vulnerabilidades de XSS en Sophos Web Appliance anterior a 3.7.8.2 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s del (1) par\u00e1metro xss en una acci\u00f3n permitida hacia rss.php, (2) par\u00e1metro msg hacia end-user/errdoc.php, (3) par\u00e1metro h hacia end-user/ftp_redirect.php o (4) par\u00e1metro threat hacia el componente Blocked.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:sophos:web_appliance_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.7.8.1\",\"matchCriteriaId\":\"5A72A59D-1018-43D3-B7E8-53F0AA013C18\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:sophos:web_appliance:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"37CBAA36-B58B-4D52-B674-E795290D42EE\"}]}]}],\"references\":[{\"url\":\"http://www.sophos.com/en-us/support/knowledgebase/118969.aspx\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.sophos.com/en-us/support/knowledgebase/118969.aspx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]}]}}"
  }
}

var-201403-0044

Vulnerability from variot

Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component. Sophos Web Appliance Contains a cross-site scripting vulnerability.By any third party, any Web Script or HTML May be inserted. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to Sophos Web Protection Appliance 3.7.8.2 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. SEC Consult Vulnerability Lab Security Advisory < 20130403-0 > ======================================================================= title: Multiple vulnerabilities product: Sophos Web Protection Appliance vulnerable version: <= 3.7.8.1 fixed version: 3.7.8.2 impact: Critical CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643 homepage: http://www.sophos.com/ found: 2013-01-14 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com

=======================================================================

Vendor/product description:

"Our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users."

URL: http://www.sophos.com/en-us/products/web/web-protection.aspx

Business recommendation:

SEC Consult has identified several vulnerabilities within the components of the Sophos Web Protection Appliance in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all.

An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/FTP login) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use), including sensitive information like passwords and session Cookies is possible. If HTTPS Scanning is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (MITM, phishing, evilgrade, ...).

The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor.

Vulnerability overview/description:

1) Unauthenticated local file disclosure (CVE-2013-2641) Unauthenticated users can read arbitrary files from the filesystem with the privileges of the "spiderman" operating system user. These files include configuration files containing sensitive information such as clear text passwords which can be used in other attacks. Furthermore the webserver log file which holds valid PHP session IDs can be accessed. With this information administrator users can be impersonated.

2) OS command injection (CVE-2013-2642) Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "spiderman" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds locally stored information or intercepting web traffic that passes through the appliance. Unauthenticated users can exploit this kind of vulnerability too (depends on appliance configuration).

3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) Reflected Cross Site Scripting vulnerabilities were found. An attacker can use these vulnerabilities the exploit other vulnerabilities in the web interface or conducting phishing attacks.

Proof of concept:

1) Unauthenticated local file disclosure (CVE-2013-2641) As an example, an unauthenticated user can download the configuration file containing the salted hash of the administrator password as well as clear text passwords e.g. for FTP backup storage or Active Directory authentication:

https:///cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00

Furthermore the Apache access log can be retrieved. As PHP session IDs are passed via the URL rather than via Cookies, these can be found in this log file and effectively used to impersonate administrator users:

https:///cgi-bin/patience.cgi?id=../../log/ui_access_log%00

An excerpt from the log file shows that it contains PHP session ID information (parameter "STYLE"). - - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139 "https:///index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0"

2) OS command injection (CVE-2013-2642) The "Diagnostic Tools" functionality allows an authenticated user to inject arbitrary operating system commands enclosed in backticks (`). These commands are run with the privileges of the operating system user "spiderman":

POST /index.php?c=diagnostic_tools HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 92 Cache-Control: no-cache

action=wget&section=configuration&STYLE=&url=%60sleep%205%60

The "Local Site List" functionality allows injection of arbitrary OS commands:

POST /index.php?c=local_site_list_editor HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 205

STYLE=&action=save&entries=[{"url"%3a+".'sleep+10'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]

Note: Unauthenticated users can retrieve valid session IDs using the vulnerability in 1).

If a customized template for the "Block page" uses the variable "%%user_workstation%%", an unauthenticated user can inject OS commands using the following URL:

https:///end-user/index.php?reason=application&client-ip=%20%60sleep+10%60

3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) The following URLs demonstrate reflected Cross Site Scripting vulnerabilities:

https:///rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E https:///end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d https:///end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E https:///index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E

As the application uses URL parameters to transmit session IDs and rather than cookies, session stealing attacks cannot be executed using these flaws. However, these vulnerabilities can still be used to fake login pages for phishing purposes. Furthermore the vulnerabilities in 1) and 2) can be exploited via one of the XSS vulnerabilities. This enables attacks on the appliance even when the web interface would otherwise not be reachable to the attacker.

Possible attack scenario: Use XSS to run malicous Javascript in the browser of a user who has network access to the web interface. This code can: - Exploit the local file disclosure vulnerability (see 1) in order to gain access to valid session IDs and impersonate administrator users. - Exploit the OS command injection (see 2) in order to execute arbitrary commands on the system. - Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the private key for the CA certificate used for HTTPS scanning (MITM).

Vendor contact timeline:

2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-23: Vendor acknowledges receipt of advisory. 2013-03-01: Vendor confirms reported issues and provides preliminary information about release dates. 2013-03-07: Conference call: Addressing the risks the discovered vulnerabilities pose to customers and release schedule. 2013-03-18: Vendor starts rollout of update to "a first group of customers". 2013-04-03: SEC Consult releases coordinated security advisory.

More information can be found at: http://www.sophos.com/en-us/support/knowledgebase/118969.aspx

Workaround:

No workaround available.

Advisory URL:

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH

Office Vienna Mooslackengasse 17 A-1190 Vienna Austria

Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com http://blog.sec-consult.com

EOF Wolfgang Ettlinger, Stefan Viehb\xf6ck / @2013

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201403-0044",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "web appliance",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "sophos",
        "version": "3.7.8.1"
      },
      {
        "model": "web appliance",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sophos",
        "version": null
      },
      {
        "model": "web appliance",
        "scope": null,
        "trust": 0.8,
        "vendor": "sophos",
        "version": null
      },
      {
        "model": "web appliance",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "sophos",
        "version": "3.7.8.2"
      },
      {
        "model": "web appliance",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "sophos",
        "version": "3.7.8.1"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201304-062"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-2643"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/h:sophos:web_appliance",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:sophos:web_appliance_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Wolfgang Ettlinger of SEC Consult Vulnerability Lab",
    "sources": [
      {
        "db": "BID",
        "id": "58834"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2013-2643",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CVE-2013-2643",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "VHN-62645",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2013-2643",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2013-2643",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201304-062",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-62645",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-62645"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201304-062"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-2643"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component. Sophos Web Appliance Contains a cross-site scripting vulnerability.By any third party, any Web Script or HTML May be inserted. \nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. \nVersions prior to Sophos Web Protection Appliance 3.7.8.2 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. SEC Consult Vulnerability Lab Security Advisory \u003c 20130403-0 \u003e\n=======================================================================\n              title: Multiple vulnerabilities\n            product: Sophos Web Protection Appliance\n vulnerable version: \u003c= 3.7.8.1\n      fixed version: 3.7.8.2\n             impact: Critical\n         CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643\n           homepage: http://www.sophos.com/\n              found: 2013-01-14\n                 by: Wolfgang Ettlinger\n                     SEC Consult Vulnerability Lab\n                     https://www.sec-consult.com\n\n=======================================================================\n\nVendor/product description:\n-----------------------------\n\"Our award-winning Secure Web Gateway appliances make web protection easy. \nThey are quick to setup, simple to manage and make policy administration a\nsnap, even for non-technical users.\"\n\nURL: http://www.sophos.com/en-us/products/web/web-protection.aspx\n\n\nBusiness recommendation:\n------------------------\nSEC Consult has identified several vulnerabilities within the components of\nthe Sophos Web Protection Appliance in the course of a short crash test. Some\ncomponents have been spot-checked, while others have not been tested at all. \n\nAn attacker can get unauthorized access to the appliance and plant backdoors or\naccess configuration files containing credentials for other systems (eg. Active\nDirectory/FTP login) which can be used in further attacks. \nSince all web traffic passes through the appliance, interception of HTTP as\nwell as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use),\nincluding sensitive information like passwords and session Cookies is possible. \nIf HTTPS Scanning is enabled, the appliance holds a private key for a\nCertificate Authority (CA) certificate that is installed/trusted on all\nworkstations in the company. If this private key is compromised by an attacker,\narbitrary certificates can be signed. These certificates will then pass\nvalidation on the client machines, enabling in various attacks targeting\nclients (MITM, phishing, evilgrade, ...). \n\nThe recommendation of SEC Consult is to switch off the product until a\ncomprehensive security audit based on a security source code review has been\nperformed and all identified security deficiencies have been resolved by the\nvendor. \n\nVulnerability overview/description:\n-----------------------------------\n1) Unauthenticated local file disclosure (CVE-2013-2641)\nUnauthenticated users can read arbitrary files from the filesystem with the\nprivileges of the \"spiderman\" operating system user. These files include\nconfiguration files containing sensitive information such as clear text\npasswords which can be used in other attacks. \nFurthermore the webserver log file which holds valid PHP session IDs can be\naccessed. With this information administrator users can be impersonated. \n\n2) OS command injection (CVE-2013-2642)\nAuthenticated users can execute arbitrary commands on the underlying\noperating system with the privileges of the \"spiderman\" operating system user. \nThis can be used to get persistent access to the affected system (eg. by\nplanting backdoors), accessing all kinds locally stored information or\nintercepting web traffic that passes through the appliance. \nUnauthenticated users can exploit this kind of vulnerability too (depends on\nappliance configuration). \n\n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)\nReflected Cross Site Scripting vulnerabilities were found. An attacker can use\nthese vulnerabilities the exploit other vulnerabilities in the web interface\nor conducting phishing attacks. \n\n\nProof of concept:\n-----------------\n1) Unauthenticated local file disclosure (CVE-2013-2641)\nAs an example, an unauthenticated user can download the configuration file\ncontaining the salted hash of the administrator password as well as clear text\npasswords e.g. for FTP backup storage or Active Directory authentication:\n\nhttps://\u003chost\u003e/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00\n\nFurthermore the Apache access log can be retrieved. As PHP session IDs are\npassed via the URL rather than via Cookies, these can be found in this log\nfile and effectively used to impersonate administrator users:\n\nhttps://\u003chost\u003e/cgi-bin/patience.cgi?id=../../log/ui_access_log%00\n\nAn excerpt from the log file shows that it contains PHP session ID information\n(parameter \"STYLE\"). \n\u003chost\u003e - - [21/Feb/2013:17:02:17 +0000] \"POST /index.php?c=dashboard HTTP/1.1\" 200 139\n\"https://\u003chost\u003e/index.php?section=configuration\u0026c=configuration\u0026STYLE=8514d0a3c2fc9f8d47e2988076778153\"\n\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0\"\n\n\n2) OS command injection (CVE-2013-2642)\nThe \"Diagnostic Tools\" functionality allows an authenticated user to inject\narbitrary operating system commands enclosed in backticks (`). These commands\nare run with the privileges of the operating system user \"spiderman\":\n\nPOST /index.php?c=diagnostic_tools HTTP/1.1\nHost: \u003chost\u003e\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nContent-Length: 92\nCache-Control: no-cache\n\naction=wget\u0026section=configuration\u0026STYLE=\u003cvalid session id\u003e\u0026url=%60sleep%205%60\n\n\nThe \"Local Site List\" functionality allows injection of arbitrary OS commands:\n\nPOST /index.php?c=local_site_list_editor HTTP/1.1\nHost: \u003chost\u003e\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nContent-Length: 205\n\nSTYLE=\u003cvalid session\nid\u003e\u0026action=save\u0026entries=[{\"url\"%3a+\".\u0027`sleep+10`\u0027\",+\"range\"%3a+\"no\",+\"tld\"%3a+\"yes\",+\"valid_range\"%3a+\"no\"}]\n\nNote: Unauthenticated users can retrieve valid session IDs using the\nvulnerability in 1). \n\nIf a customized template for the \"Block page\" uses the variable\n\"%%user_workstation%%\", an _unauthenticated_ user can inject OS commands using the\nfollowing URL:\n\nhttps://\u003chost\u003e/end-user/index.php?reason=application\u0026client-ip=%20%60sleep+10%60\n\n\n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)\nThe following URLs demonstrate reflected Cross Site Scripting vulnerabilities:\n\nhttps://\u003chost\u003e/rss.php?action=allow\u0026xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E\nhttps://\u003chost\u003e/end-user/errdoc.php?e=530\u0026msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d\nhttps://\u003chost\u003e/end-user/ftp_redirect.php?r=x\u0026h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E\nhttps://\u003chost\u003e/index.php?c=blocked\u0026reason=malware\u0026user=\u0026\u0026threat=%3Cscript%3Ealert%281%29%3C/script%3E\n\nAs the application uses URL parameters to transmit session IDs and rather\nthan cookies, session stealing attacks cannot be executed using these flaws. \nHowever, these vulnerabilities can still be used to fake login pages for\nphishing purposes. \nFurthermore the vulnerabilities in 1) and 2) can be exploited via one of the\nXSS vulnerabilities. This enables attacks on the appliance even when the\nweb interface would otherwise not be reachable to the attacker. \n\nPossible attack scenario:\nUse XSS to run malicous Javascript in the browser of a user who has network\naccess to the web interface. This code can:\n- Exploit the local file disclosure vulnerability (see 1) in order to gain\n  access to valid session IDs and impersonate administrator users. \n- Exploit the OS command injection (see 2) in order to execute arbitrary\n  commands on the system. \n- Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the\n  private key for the CA certificate used for HTTPS scanning (MITM). \n\n\nVendor contact timeline:\n------------------------\n2013-02-22: Sending advisory and proof of concept exploit via encrypted\n            channel. \n2013-02-23: Vendor acknowledges receipt of advisory. \n2013-03-01: Vendor confirms reported issues and provides preliminary\n            information about release dates. \n2013-03-07: Conference call: Addressing the risks the discovered\n            vulnerabilities pose to customers and release schedule. \n2013-03-18: Vendor starts rollout of update to \"a first group of customers\". \n2013-04-03: SEC Consult releases coordinated security advisory. \n\nMore information can be found at:\nhttp://www.sophos.com/en-us/support/knowledgebase/118969.aspx\n\n\nWorkaround:\n-----------\nNo workaround available. \n\n\nAdvisory URL:\n--------------\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nSEC Consult Unternehmensberatung GmbH\n\nOffice Vienna\nMooslackengasse 17\nA-1190 Vienna\nAustria\n\nTel.: +43 / 1 / 890 30 43 - 0\nFax.: +43 / 1 / 890 30 43 - 25\nMail: research at sec-consult dot com\nhttps://www.sec-consult.com\nhttp://blog.sec-consult.com\n\n\nEOF Wolfgang Ettlinger, Stefan Viehb\\xf6ck / @2013\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2013-2643"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      },
      {
        "db": "BID",
        "id": "58834"
      },
      {
        "db": "VULHUB",
        "id": "VHN-62645"
      },
      {
        "db": "PACKETSTORM",
        "id": "121060"
      }
    ],
    "trust": 2.07
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-62645",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-62645"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2013-2643",
        "trust": 2.9
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201304-062",
        "trust": 0.7
      },
      {
        "db": "SECUNIA",
        "id": "52814",
        "trust": 0.6
      },
      {
        "db": "BID",
        "id": "58834",
        "trust": 0.4
      },
      {
        "db": "EXPLOIT-DB",
        "id": "24932",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-62645",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "121060",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-62645"
      },
      {
        "db": "BID",
        "id": "58834"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      },
      {
        "db": "PACKETSTORM",
        "id": "121060"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201304-062"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-2643"
      }
    ]
  },
  "id": "VAR-201403-0044",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-62645"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-08-14T13:35:19.710000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "118969",
        "trust": 0.8,
        "url": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-62645"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-2643"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_sophos_web_protection_appliance_multiple_vulnerabilities.txt"
      },
      {
        "trust": 1.8,
        "url": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2643"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-2643"
      },
      {
        "trust": 0.6,
        "url": "http://secunia.com/advisories/52814"
      },
      {
        "trust": 0.4,
        "url": "http://www.sophos.com/"
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e/end-user/errdoc.php?e=530\u0026msg=phnjcmlwdd5hbgvydcgnehnzjyk7pc9zy3jpchq%2bcg%3d%3d"
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e/index.php?c=blocked\u0026reason=malware\u0026user=\u0026\u0026threat=%3cscript%3ealert%281%29%3c/script%3e"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-2641"
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e/end-user/ftp_redirect.php?r=x\u0026h=%3c/script%3e%3cscript%3ealert%281%29%3b%3c/script%3e"
      },
      {
        "trust": 0.1,
        "url": "http://www.sophos.com/en-us/products/web/web-protection.aspx"
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e/index.php?section=configuration\u0026c=configuration\u0026style=8514d0a3c2fc9f8d47e2988076778153\""
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e/cgi-bin/patience.cgi?id=../../log/ui_access_log%00"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-2642"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-2643"
      },
      {
        "trust": 0.1,
        "url": "http://blog.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00"
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e/rss.php?action=allow\u0026xss=%3cscript%3ealert%28string.fromcharcode%28120,%20115,%20115%29%29%3c/script%3e"
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e/end-user/index.php?reason=application\u0026client-ip=%20%60sleep+10%60"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com/en/vulnerability-lab/advisories.htm"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-62645"
      },
      {
        "db": "BID",
        "id": "58834"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      },
      {
        "db": "PACKETSTORM",
        "id": "121060"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201304-062"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-2643"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-62645"
      },
      {
        "db": "BID",
        "id": "58834"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      },
      {
        "db": "PACKETSTORM",
        "id": "121060"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201304-062"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-2643"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2014-03-18T00:00:00",
        "db": "VULHUB",
        "id": "VHN-62645"
      },
      {
        "date": "2013-04-03T00:00:00",
        "db": "BID",
        "id": "58834"
      },
      {
        "date": "2014-03-24T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      },
      {
        "date": "2013-04-03T14:44:44",
        "db": "PACKETSTORM",
        "id": "121060"
      },
      {
        "date": "2013-04-11T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201304-062"
      },
      {
        "date": "2014-03-18T17:02:51.887000",
        "db": "NVD",
        "id": "CVE-2013-2643"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2014-03-19T00:00:00",
        "db": "VULHUB",
        "id": "VHN-62645"
      },
      {
        "date": "2013-04-03T00:00:00",
        "db": "BID",
        "id": "58834"
      },
      {
        "date": "2014-03-24T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      },
      {
        "date": "2014-03-20T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201304-062"
      },
      {
        "date": "2014-03-19T13:55:01.383000",
        "db": "NVD",
        "id": "CVE-2013-2643"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201304-062"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Sophos Web Appliance Vulnerable to cross-site scripting",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-006230"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "xss",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "121060"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201304-062"
      }
    ],
    "trust": 0.7
  }
}

ghsa-r2rc-4r46-p269

Vulnerability from github

Published

2022-05-17 04:49

Modified

2022-05-17 04:49

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2013-2643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-03-18T17:02:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component.",
  "id": "GHSA-r2rc-4r46-p269",
  "modified": "2022-05-17T04:49:03Z",
  "published": "2022-05-17T04:49:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2643"
    },
    {
      "type": "WEB",
      "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

fkie_cve-2013-2643

Vulnerability from fkie_nvd

Published

2014-03-18 17:02

Modified

2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://www.sophos.com/en-us/support/knowledgebase/118969.aspx	Vendor Advisory
cve@mitre.org	https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.sophos.com/en-us/support/knowledgebase/118969.aspx	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt	Exploit

Impacted products

	Vendor	Product	Version
	sophos	web_appliance_firmware	*
	sophos	web_appliance	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:sophos:web_appliance_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A72A59D-1018-43D3-B7E8-53F0AA013C18",
              "versionEndIncluding": "3.7.8.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:sophos:web_appliance:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "37CBAA36-B58B-4D52-B674-E795290D42EE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de XSS en Sophos Web Appliance anterior a 3.7.8.2 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s del (1) par\u00e1metro xss en una acci\u00f3n permitida hacia rss.php, (2) par\u00e1metro msg hacia end-user/errdoc.php, (3) par\u00e1metro h hacia end-user/ftp_redirect.php o (4) par\u00e1metro threat hacia el componente Blocked."
    }
  ],
  "id": "CVE-2013-2643",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-03-18T17:02:51.887",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2013-2643

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2013-2643

Aliases

CVE-2013-2643

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-2643",
    "description": "Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component.",
    "id": "GSD-2013-2643",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2013-2643"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-2643"
      ],
      "details": "Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component.",
      "id": "GSD-2013-2643",
      "modified": "2023-12-13T01:22:17.237926Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2013-2643",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt",
            "refsource": "MISC",
            "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt"
          },
          {
            "name": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx",
            "refsource": "CONFIRM",
            "url": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:sophos:web_appliance_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "3.7.8.1",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:sophos:web_appliance:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2013-2643"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.sophos.com/en-us/support/knowledgebase/118969.aspx"
            },
            {
              "name": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt",
              "refsource": "MISC",
              "tags": [
                "Exploit"
              ],
              "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2014-03-19T13:55Z",
      "publishedDate": "2014-03-18T17:02Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2013-2643 (GCVE-0-2013-2643)

Vulnerability from cvelistv5

var-201403-0044

Vulnerability from variot

Vendor/product description:

Business recommendation:

Vulnerability overview/description:

Proof of concept:

Vendor contact timeline:

Workaround:

Advisory URL:

ghsa-r2rc-4r46-p269

Vulnerability from github

fkie_cve-2013-2643

Vulnerability from fkie_nvd

gsd-2013-2643

Vulnerability from gsd

Tags

Sightings

Nomenclature