Details of VAR-200807-0340

ID

VAR-200807-0340

CVE

CVE-2008-3082

TITLE

Commtouch Enterprise Anti-Spam Gateway of UPM/English/login/login.asp Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2008-003233

DESCRIPTION

Cross-site scripting (XSS) vulnerability in UPM/English/login/login.asp in Commtouch Enterprise Anti-Spam Gateway 4 and 5 allows remote attackers to inject arbitrary web script or HTML via the PARAMS parameter. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Commtouch Anti-Spam Enterprise Gateway 4 and 5 are vulnerable; other versions may also be affected. Commtouch Anti-Spam is an enterprise-level anti-spam protection platform developed by Israel Commtouch Company. The Commtouch Anti-Spam product regularly sends email reports to users, listing the blocked suspicious spam emails, and then users can click related links in the emails to confirm whether suspicious emails should be released. If an attacker sends an email message containing a malicious link, the user is tricked into clicking the link in the message, which can lead to a cross-site scripting attack. Input passed to the "PARAMS" parameter in AntiSpamGateway/UPM/English/login/login.asp is not properly sanitised before being returned to a user. The vulnerability is reported in version 4 and 5. SOLUTION: Filter malicious characters and character sequences using a web proxy. PROVIDED AND/OR DISCOVERED BY: Erez Metula ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2008-June/062955.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2008-3082 // JVNDB: JVNDB-2008-003233 // BID: 29957 // VULHUB: VHN-33207 // PACKETSTORM: 67747

AFFECTED PRODUCTS

vendor:	commtouch	model:	enterprise anti-spam gateway	scope:	eq	version:	5	Trust: 1.6
vendor:	commtouch	model:	enterprise anti-spam gateway	scope:	eq	version:	4	Trust: 1.6
vendor:	commtouch	model:	enterprise anti-spam gateway	scope:	eq	version:	4 and 5	Trust: 0.8
vendor:	commtouch	model:	anti-spam enterprise gateway	scope:	eq	version:	5	Trust: 0.3
vendor:	commtouch	model:	anti-spam enterprise gateway	scope:	eq	version:	4	Trust: 0.3

sources: BID: 29957 // JVNDB: JVNDB-2008-003233 // CNNVD: CNNVD-200807-143 // NVD: CVE-2008-3082

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2008-3082
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2008-3082
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200807-143
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-33207
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2008-3082
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-33207
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-33207 // JVNDB: JVNDB-2008-003233 // CNNVD: CNNVD-200807-143 // NVD: CVE-2008-3082

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-33207 // JVNDB: JVNDB-2008-003233 // NVD: CVE-2008-3082

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200807-143

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 67747 // CNNVD: CNNVD-200807-143

CONFIGURATIONS

sources: JVNDB: JVNDB-2008-003233

PATCH

title:

Top Page

url:

http://www.commtouch.com/enterprise-anti-spam-overview

Trust: 0.8

sources: JVNDB: JVNDB-2008-003233

EXTERNAL IDS

db:	NVD	id:	CVE-2008-3082	Trust: 2.8
db:	BID	id:	29957	Trust: 2.0
db:	SECUNIA	id:	30876	Trust: 1.8
db:	JVNDB	id:	JVNDB-2008-003233	Trust: 0.8
db:	FULLDISC	id:	20080626 COMMTOUCH ANTI-SPAM ENTERPRISE GATEWAY CROSS SITE SCRIPTING (ALLOWING DOMAIN CREDENTIAL THEFT)	Trust: 0.6
db:	NSFOCUS	id:	12074	Trust: 0.6
db:	XF	id:	43442	Trust: 0.6
db:	CNNVD	id:	CNNVD-200807-143	Trust: 0.6
db:	VULHUB	id:	VHN-33207	Trust: 0.1
db:	PACKETSTORM	id:	67747	Trust: 0.1

sources: VULHUB: VHN-33207 // BID: 29957 // JVNDB: JVNDB-2008-003233 // PACKETSTORM: 67747 // CNNVD: CNNVD-200807-143 // NVD: CVE-2008-3082

REFERENCES

url:	http://lists.grok.org.uk/pipermail/full-disclosure/2008-june/062955.html	Trust: 1.8
url:	http://www.securityfocus.com/bid/29957	Trust: 1.7
url:	http://blog.commtouch.com/cafe/email-security-news/vulnerability-in-commtouch-gateway-not-anymore/	Trust: 1.7
url:	http://secunia.com/advisories/30876	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/43442	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3082	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-3082	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/43442	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/12074	Trust: 0.6
url:	http://www.commtouch.com/	Trust: 0.3
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/product/19187/	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/hardcore_disassembler_and_reverse_engineer/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/secunia_security_specialist/	Trust: 0.1
url:	http://corporate.secunia.com/about_secunia/64/	Trust: 0.1
url:	http://secunia.com/advisories/30876/	Trust: 0.1
url:	http://secunia.com/product/19186/	Trust: 0.1

sources: VULHUB: VHN-33207 // BID: 29957 // JVNDB: JVNDB-2008-003233 // PACKETSTORM: 67747 // CNNVD: CNNVD-200807-143 // NVD: CVE-2008-3082

CREDITS

Erez Metula※ erezmetula@2bsecure.co.il

Trust: 0.6

sources: CNNVD: CNNVD-200807-143

SOURCES

db:	VULHUB	id:	VHN-33207
db:	BID	id:	29957
db:	JVNDB	id:	JVNDB-2008-003233
db:	PACKETSTORM	id:	67747
db:	CNNVD	id:	CNNVD-200807-143
db:	NVD	id:	CVE-2008-3082

LAST UPDATE DATE

2025-04-10T22:57:04.356000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-33207	date:	2017-08-08T00:00:00
db:	BID	id:	29957	date:	2015-05-07T17:28:00
db:	JVNDB	id:	JVNDB-2008-003233	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200807-143	date:	2008-09-05T00:00:00
db:	NVD	id:	CVE-2008-3082	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-33207	date:	2008-07-09T00:00:00
db:	BID	id:	29957	date:	2008-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2008-003233	date:	2012-06-26T00:00:00
db:	PACKETSTORM	id:	67747	date:	2008-06-28T14:14:58
db:	CNNVD	id:	CNNVD-200807-143	date:	2008-06-26T00:00:00
db:	NVD	id:	CVE-2008-3082	date:	2008-07-09T00:41:00