CVE-2016-10257

EUVD-2016-1442

10.01.2018, 02:29

The Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 (prior to 6.7.2.1), ProxySG 6.5 (prior to 6.5.10.6), ProxySG 6.6, and ProxySG 6.7 (prior to 6.7.2.1) management console is susceptible to a reflected XSS vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code into the management console web client application. This is a separate vulnerability from CVE-2016-10256.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 58%

Affected Products (NVD)

Vendor	Product	Version
broadcom	advanced_secure_gateway	6.7 ≤ 𝑥 < 6.7.2.1
broadcom	advanced_secure_gateway	6.6
broadcom	symantec_proxysg	6.5 ≤ 𝑥 < 6.5.10.6
broadcom	symantec_proxysg	6.7 ≤ 𝑥 < 6.7.2.1
broadcom	symantec_proxysg	6.6

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://www.securityfocus.com/bid/102447

http://www.securitytracker.com/id/1040138

https://www.symantec.com/security-center/network-protection-security-advisories/SA155

http://www.securityfocus.com/bid/102447

http://www.securitytracker.com/id/1040138

https://www.symantec.com/security-center/network-protection-security-advisories/SA155