The Symantec ASG and ProxySG FTP proxy WebFTP mode is susceptible to XSS and information disclosure vulnerabilities. A remote attacker can inject malicious JavaScript code in the web listing of a remote FTP server and obtain authentication credentials for a remote FTP server.
CVE |Supported Version(s)|Remediation
CVE-2018-18370, CVE-2018-18371 | 7.1 | Not vulnerable, fixed.
6.7 | Upgrade to 6.7.4.2.
6.6 | Upgrade to later release with fixes.
CVE |Supported Version(s)|Remediation
CVE-2018-18370, CVE-2018-18371 | 7.1 | Not vulnerable, fixed.
6.7 | Upgrade to 6.7.4.2.
6.6 | Upgrade to later release with fixes.
6.5 | Upgrade to 6.5.10.15.
Severity / CVSSv3 | Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) References| SecurityFocus: BID 109823 / NVD: CVE-2018-18370 Impact| Cross-site scripting (XSS) Description | The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser. A stored cross-site scripting (XSS) vulnerability in the WebFTP mode allows a remote attacker to inject malicious JavaScript code in ASG/ProxySG’s web listing of a remote FTP server. Exploiting the vulnerability requires the attacker to be able to upload crafted files to the remote FTP server.
Severity / CVSSv3 | Medium / 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) References| SecurityFocus: BID 109823 / NVD: CVE-2018-18371 Impact| Information disclosure Description | The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser. An information disclosure vulnerability in the WebFTP mode allows a malicious user to obtain plaintext authentication credentials for a remote FTP server from the ASG/ProxySG’s web listing of the FTP server.
2019-08-27 initial public release