Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Cisco Ironport AsyncOS Cross Site Scripting

Related Vulnerabilities: CVE-2013-6780  
Publish Date: 25 Feb 2015
Author: Glafkos Charalambous
Source 
                							

                Cisco Ironport AsyncOS Cross Site Scripting
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s): 
  Cisco Ironport ESA - AsyncOS 8.0.1-023
  Cisco Ironport WSA - AsyncOS 8.5.5-022
  Cisco Ironport SMA - AsyncOS 8.4.0-126
Date: 24/02/2015
Credits: Glafkos Charalambous
CVE: CVE-2013-6780

Disclosure Timeline:
28-10-2014: Vendor Notification
28-10-2014: Vendor Response/Feedback
22-01-2015: Vendor Fix/Patch
24-02-2015: Public Disclosure

Description:
Cisco AsyncOS is vulnerable to unauthenticated Cross-site scripting (XSS), caused by improper validation
of user supplied input in the (uploader.swf) Uploader component in Yahoo! versions 2.5.0 through 2.9.0.

An attacker is able to inject arbitrary web script or HTML via the allowedDomain parameter.


XSS Payload:
http(s)://domain.com/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert('XSS');}//


References:
https://tools.cisco.com/bugsearch/bug/CSCur44409
https://tools.cisco.com/bugsearch/bug/CSCur89626
https://tools.cisco.com/bugsearch/bug/CSCur89624
http://yuilibrary.com/support/20131111-vulnerability/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6780


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32) 

mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u
xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x
Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj
KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe
JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB
AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF
AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ
M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z
S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE
n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d
V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL
2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI=
=yiro
-----END PGP SIGNATURE-----

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started