WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability

Overview

WatchGuard Fireware XTM 11.8.1, and possibly earlier versions, contains a cross-site scripting vulnerability.

Description

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

WatchGuard Fireware XTM 11.8.1 contains a cross-site scripting vulnerability in the “poll_name” parameter of the “firewall/policy” page.

Additional details may be found in the WatchGuard advisory.

---

Impact

A remote attacker that is able to trick a user in to visiting a specially crafted URL may be able to conduct a cross-site scripting attack. This attack may result in information leakage, privilege escalation, and/or denial of service.

---

Solution

Apply an Update

WatchGuard Fireware XTM 11.8.3 addresses this vulnerability.

---

Vendor Information

807134

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Watchguard Technologies, Inc. Affected

Notified: January 23, 2014 Updated: March 13, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	4.3	AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal	3.4	E:POC/RL:OF/RC:C
Environmental	0.8	CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

• <http://watchguardsecuritycenter.com/2014/03/13/fireware-xtm-11-8-3-update-corrects-xss-flaw/&gt;
• <http://watchguardsecuritycenter.com/2014/03/13/new-release-fireware-xtm-11-8-3-and-wsm-11-8-3/&gt;

Acknowledgements

Thanks to William Costa for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2014-0338
Date Public:	2014-03-13 Date First Published: