Sign-up

ID

VAR-201404-0424


CVE

CVE-2014-2879


TITLE

Dell SonicWALL Email Security Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-002181

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Dell SonicWALL Email Security 7.4.5 and earlier allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the uploadPatch parameter to the System/Advanced page (settings_advanced.html) or (2) the uploadLicenses parameter in the License management (settings_upload_dlicense.html) page. The Dell SonicWall EMail Security Appliance is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Dell SonicWall EMail Security Appliance 7.4.5 and prior versions are vulnerable. This scheme can effectively prevent various types of email attacks and supports encryption of data and information in emails. Filter the 'uploadLicenses' parameter

Trust: 1.98

sources: NVD: CVE-2014-2879 // JVNDB: JVNDB-2014-002181 // BID: 66501 // VULHUB: VHN-70818

AFFECTED PRODUCTS

vendor:sonicwallmodel:email security appliancescope:lteversion:7.4.5

Trust: 1.0

vendor:dellmodel:sonicwall email securityscope:lteversion:7.4.5

Trust: 0.8

vendor:sonicwallmodel:email security appliancescope:eqversion:7.4.5

Trust: 0.6

sources: JVNDB: JVNDB-2014-002181 // CNNVD: CNNVD-201404-368 // NVD: CVE-2014-2879

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2879
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-2879
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201404-368
value: MEDIUM

Trust: 0.6

VULHUB: VHN-70818
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-2879
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-70818
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-70818 // JVNDB: JVNDB-2014-002181 // CNNVD: CNNVD-201404-368 // NVD: CVE-2014-2879

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-70818 // JVNDB: JVNDB-2014-002181 // NVD: CVE-2014-2879

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-368

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201404-368

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002181

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-70818

PATCH
title:Dell SonicWALL Email Security Service Bulletin for Scripting Vulnerabilityurl:http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-002181

EXTERNAL IDS
db:NVDid:CVE-2014-2879
Trust: 2.5
db:SECTRACKid:1029965
Trust: 1.7
db:BIDid:66501
Trust: 1.4
db:JVNDBid:JVNDB-2014-002181
Trust: 0.8
db:CNNVDid:CNNVD-201404-368
Trust: 0.7
db:FULLDISCid:20140328 DELL SONICWALL EMAIL SECURITY 7.4.5 - MULTIPLE VULNERABILITIES (BULLETIN)
Trust: 0.6
db:EXPLOIT-DBid:32556
Trust: 0.1
db:SEEBUGid:SSVID-85837
Trust: 0.1
db:VULHUBid:VHN-70818
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70818 // 
            
            
            
            BID: 66501 // 
            
            
            
            JVNDB: JVNDB-2014-002181 // 
            
            
            
            CNNVD: CNNVD-201404-368 // 
            
            
            
            NVD: CVE-2014-2879

REFERENCES
url:http://seclists.org/fulldisclosure/2014/mar/409
Trust: 2.5
url:http://www.sonicwall.com/us/shared/download/support-bulletin_email-security_scripting_vulnerability__resolved_in__es746.pdf
Trust: 1.7
url:http://www.vulnerability-lab.com/get_content.php?id=1191
Trust: 1.7
url:http://www.securitytracker.com/id/1029965
Trust: 1.7
url:http://www.securityfocus.com/bid/66501
Trust: 1.1
url:http://www.securityfocus.com/archive/1/531642/100/0/threaded
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2879
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2879
Trust: 0.8
sources:
            
            
            VULHUB: VHN-70818 // 
            
            
            
            JVNDB: JVNDB-2014-002181 // 
            
            
            
            CNNVD: CNNVD-201404-368 // 
            
            
            
            NVD: CVE-2014-2879

CREDITS
Benjamin Kunz Mejri
Trust: 0.3
sources:
            
            
            BID: 66501

SOURCES
db:VULHUBid:VHN-70818
db:BIDid:66501
db:JVNDBid:JVNDB-2014-002181
db:CNNVDid:CNNVD-201404-368
db:NVDid:CVE-2014-2879

LAST UPDATE DATE
2025-04-13T23:39:11.152000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-70818date:2018-10-09T00:00:00
db:BIDid:66501date:2014-03-26T00:00:00
db:JVNDBid:JVNDB-2014-002181date:2014-04-22T00:00:00
db:CNNVDid:CNNVD-201404-368date:2014-04-22T00:00:00
db:NVDid:CVE-2014-2879date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-70818date:2014-04-17T00:00:00
db:BIDid:66501date:2014-03-26T00:00:00
db:JVNDBid:JVNDB-2014-002181date:2014-04-22T00:00:00
db:CNNVDid:CNNVD-201404-368date:2014-04-22T00:00:00
db:NVDid:CVE-2014-2879date:2014-04-17T14:55:12.323