Sign-up

ID

VAR-201404-0434


CVE

CVE-2014-2844


TITLE

F-Secure Messaging Secure Gateway Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-002182

DESCRIPTION

Cross-site scripting (XSS) vulnerability in F-Secure Messaging Secure Gateway 7.5.0 before Patch 1862 allows remote authenticated administrators to inject arbitrary web script or HTML via the new parameter in the SysUser module to admin. F-Secure Messaging Security Gateway is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. F-Secure Messaging Security Gateway 7.5.0 is vulnerable; other versions may also be affected. The product automatically encrypts e-mail and supports virus and spam filtering

Trust: 1.98

sources: NVD: CVE-2014-2844 // JVNDB: JVNDB-2014-002182 // BID: 66959 // VULHUB: VHN-70783

AFFECTED PRODUCTS

vendor:f securemodel:messaging secure gatewayscope:eqversion:7.5.0

Trust: 1.6

vendor:f securemodel:f-secure messaging security gatewayscope:ltversion:7.5.0 patch 1862

Trust: 0.8

vendor:f securemodel:messaging security gatewayscope:eqversion:7.5

Trust: 0.3

sources: BID: 66959 // JVNDB: JVNDB-2014-002182 // CNNVD: CNNVD-201404-375 // NVD: CVE-2014-2844

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2844
value: LOW

Trust: 1.0

NVD: CVE-2014-2844
value: LOW

Trust: 0.8

CNNVD: CNNVD-201404-375
value: LOW

Trust: 0.6

VULHUB: VHN-70783
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2014-2844
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-70783
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-70783 // JVNDB: JVNDB-2014-002182 // CNNVD: CNNVD-201404-375 // NVD: CVE-2014-2844

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-70783 // JVNDB: JVNDB-2014-002182 // NVD: CVE-2014-2844

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-375

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201404-375

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002182

PATCH
title:FSC-2014-2: Cross-site Scripting Vulnerabilityurl:http://www.f-secure.com/en/web/labs_global/fsc-2014-2
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-002182

EXTERNAL IDS
db:NVDid:CVE-2014-2844
Trust: 2.8
db:SECUNIAid:58038
Trust: 1.7
db:JVNDBid:JVNDB-2014-002182
Trust: 0.8
db:CNNVDid:CNNVD-201404-375
Trust: 0.7
db:FULLDISCid:20140416 REFLECTED XSS ATTACKS VULNERABILITIES F-SECURE MESSAGING SECURITY GATEWAY V7.5.0.892 (CVE-2014-2844)
Trust: 0.6
db:BIDid:66959
Trust: 0.4
db:VULHUBid:VHN-70783
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70783 // 
            
            
            
            BID: 66959 // 
            
            
            
            JVNDB: JVNDB-2014-002182 // 
            
            
            
            CNNVD: CNNVD-201404-375 // 
            
            
            
            NVD: CVE-2014-2844

REFERENCES
url:http://secunia.com/advisories/58038
Trust: 2.3
url:http://www.f-secure.com/en/web/labs_global/fsc-2014-2
Trust: 2.0
url:http://seclists.org/fulldisclosure/2014/apr/223
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2844
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2844
Trust: 0.8
url:http://www.f-secure.com/en/web/business_global/products/email-web-filtering/messaging-security-gateway/overview
Trust: 0.3
sources:
            
            
            VULHUB: VHN-70783 // 
            
            
            
            BID: 66959 // 
            
            
            
            JVNDB: JVNDB-2014-002182 // 
            
            
            
            CNNVD: CNNVD-201404-375 // 
            
            
            
            NVD: CVE-2014-2844

CREDITS
William Costa
Trust: 0.3
sources:
            
            
            BID: 66959

SOURCES
db:VULHUBid:VHN-70783
db:BIDid:66959
db:JVNDBid:JVNDB-2014-002182
db:CNNVDid:CNNVD-201404-375
db:NVDid:CVE-2014-2844

LAST UPDATE DATE
2025-04-12T23:28:55.966000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-70783date:2014-04-21T00:00:00
db:BIDid:66959date:2014-04-16T00:00:00
db:JVNDBid:JVNDB-2014-002182date:2014-04-22T00:00:00
db:CNNVDid:CNNVD-201404-375date:2014-04-22T00:00:00
db:NVDid:CVE-2014-2844date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-70783date:2014-04-18T00:00:00
db:BIDid:66959date:2014-04-16T00:00:00
db:JVNDBid:JVNDB-2014-002182date:2014-04-22T00:00:00
db:CNNVDid:CNNVD-201404-375date:2014-04-22T00:00:00
db:NVDid:CVE-2014-2844date:2014-04-18T14:55:25.977