Sign-up

ID

VAR-200904-0217


CVE

CVE-2009-0063


TITLE

Symantec Brightmail Gateway Appliance of Control Center Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2009-005734

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Control Center in Symantec Brightmail Gateway Appliance before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Symantec Brightmail Gateway is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. Versions prior to Brightmail Gateway 8.0.1 are vulnerable. Brightmail Gateway is Symantec's information security management platform. ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Symantec Brightmail Gateway Control Center Multiple Vulnerabilities SECUNIA ADVISORY ID: SA34885 VERIFY ADVISORY: http://secunia.com/advisories/34885/ DESCRIPTION: Some vulnerabilities have been reported in Symantec Brightmail Gateway, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to bypass certain security restrictions. 1) Certain unspecified input passed to the Control Center is not properly sanitised before being returned to the user. 2) An error when processing unspecified console functions can be exploited by a Control Center user to gain administrative privileges. SOLUTION: Update to version 8.0.1 or later. PROVIDED AND/OR DISCOVERED BY: Marian Ventuneac, Perot Systems ORIGINAL ADVISORY: SYM09-005: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2009-0063 // JVNDB: JVNDB-2009-005734 // BID: 34641 // VULHUB: VHN-37509 // PACKETSTORM: 76979

AFFECTED PRODUCTS

vendor:symantecmodel:brightmail gateway appliancescope:eqversion:7.6

Trust: 1.6

vendor:symantecmodel:brightmail gateway appliancescope:eqversion:7.5

Trust: 1.6

vendor:symantecmodel:brightmail gateway appliancescope:eqversion:7.7

Trust: 1.6

vendor:symantecmodel:brightmail gateway appliancescope:lteversion:8.0

Trust: 1.0

vendor:symantecmodel:brightmail gateway appliancescope:ltversion:8.0.1

Trust: 0.8

vendor:symantecmodel:brightmail gateway appliancescope:eqversion:8.0

Trust: 0.6

vendor:symantecmodel:mail security series appliancescope:eqversion:83000

Trust: 0.3

vendor:symantecmodel:mail security series appliancescope:eqversion:8200

Trust: 0.3

vendor:symantecmodel:brightmail gateway series appliancescope:eqversion:83000

Trust: 0.3

vendor:symantecmodel:brightmail appliancescope:eqversion:8.0

Trust: 0.3

vendor:symantecmodel:brightmail appliancescope:eqversion:5.0

Trust: 0.3

vendor:symantecmodel:brightmail appliancescope:neversion:8.0.1

Trust: 0.3

sources: BID: 34641 // JVNDB: JVNDB-2009-005734 // CNNVD: CNNVD-200904-467 // NVD: CVE-2009-0063

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-0063
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-0063
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200904-467
value: MEDIUM

Trust: 0.6

VULHUB: VHN-37509
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2009-0063
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-37509
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-37509 // JVNDB: JVNDB-2009-005734 // CNNVD: CNNVD-200904-467 // NVD: CVE-2009-0063

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-37509 // JVNDB: JVNDB-2009-005734 // NVD: CVE-2009-0063

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200904-467

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 76979 // CNNVD: CNNVD-200904-467

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-005734

PATCH
title:SYM09-005url:http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-005734

EXTERNAL IDS
db:NVDid:CVE-2009-0063
Trust: 2.8
db:BIDid:34641
Trust: 2.0
db:SECUNIAid:34885
Trust: 1.8
db:OSVDBid:53944
Trust: 1.7
db:VUPENid:ADV-2009-1155
Trust: 1.7
db:SECTRACKid:1022116
Trust: 1.7
db:JVNDBid:JVNDB-2009-005734
Trust: 0.8
db:XFid:50074
Trust: 0.6
db:CNNVDid:CNNVD-200904-467
Trust: 0.6
db:VULHUBid:VHN-37509
Trust: 0.1
db:PACKETSTORMid:76979
Trust: 0.1
sources:
            
            
            VULHUB: VHN-37509 // 
            
            
            
            BID: 34641 // 
            
            
            
            JVNDB: JVNDB-2009-005734 // 
            
            
            
            PACKETSTORM: 76979 // 
            
            
            
            CNNVD: CNNVD-200904-467 // 
            
            
            
            NVD: CVE-2009-0063

REFERENCES
url:http://www.securityfocus.com/bid/34641
Trust: 1.7
url:http://osvdb.org/53944
Trust: 1.7
url:http://securitytracker.com/id?1022116
Trust: 1.7
url:http://secunia.com/advisories/34885
Trust: 1.7
url:http://www.vupen.com/english/advisories/2009/1155
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/50074
Trust: 1.1
url:http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01
Trust: 1.0
url:http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0063
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0063
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/50074
Trust: 0.6
url:http://www.brightmail.com/
Trust: 0.3
url:http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01
Trust: 0.1
url:http://secunia.com/advisories/try_vi/request_2008_report/
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/34885/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-37509 // 
            
            
            
            BID: 34641 // 
            
            
            
            JVNDB: JVNDB-2009-005734 // 
            
            
            
            PACKETSTORM: 76979 // 
            
            
            
            CNNVD: CNNVD-200904-467 // 
            
            
            
            NVD: CVE-2009-0063

CREDITS
Marian Ventuneac  marian.ventuneac@ul.ie
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200904-467

SOURCES
db:VULHUBid:VHN-37509
db:BIDid:34641
db:JVNDBid:JVNDB-2009-005734
db:PACKETSTORMid:76979
db:CNNVDid:CNNVD-200904-467
db:NVDid:CVE-2009-0063

LAST UPDATE DATE
2025-04-10T23:05:09.935000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-37509date:2017-08-08T00:00:00
db:BIDid:34641date:2009-04-30T18:46:00
db:JVNDBid:JVNDB-2009-005734date:2012-12-20T00:00:00
db:CNNVDid:CNNVD-200904-467date:2009-04-30T00:00:00
db:NVDid:CVE-2009-0063date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-37509date:2009-04-24T00:00:00
db:BIDid:34641date:2009-04-21T00:00:00
db:JVNDBid:JVNDB-2009-005734date:2012-12-20T00:00:00
db:PACKETSTORMid:76979date:2009-04-27T15:17:12
db:CNNVDid:CNNVD-200904-467date:2009-04-24T00:00:00
db:NVDid:CVE-2009-0063date:2009-04-24T15:30:00.187