This host is running F-Secure Policy Manager and is prone to cross site scripting and path disclosure vulnerabilities.

Successful exploitation will allow attacker to disclose potentially sensitive information and execute arbitrary code in the context of an application. Impact Level: Application

F-Secure Policy Manager for Windows version 8.00 - Apply patch: ftp://ftp.f-secure.com/support/hotfix/fspm/fspm-8.00-windows-hotfix-2.zip F-Secure Policy Manager for Windows version 8.1x - Apply patch: ftp://ftp.f-secure.com/support/hotfix/fspm/fspm-8.1x-windows-hotfix-3.zip F-Secure Policy Manager for Windows version 9.00 - Apply patch: ftp://ftp.f-secure.com/support/hotfix/fspm/fspm-9.00-windows-hotfix-4.zip F-Secure Policy Manager for Linux version 8.00 - Apply patch: ftp://ftp.f-secure.com/support/hotfix/fspm-linux/fspm-8.00-linux-hotfix-2.zip F-Secure Policy Manager for Linux version 8.1x - Apply patch: ftp://ftp.f-secure.com/support/hotfix/fspm-linux/fspm-8.1x-linux-hotfix-2.zip F-Secure Policy Manager for Linux version 9.00 - Apply patch: ftp://ftp.f-secure.com/support/hotfix/fspm-linux/fspm-9.00-linux-hotfix-2.zip

The flaws are caused by an error in the 'WebReporting' interface when processing user-supplied requests, which could allow cross-site scripting and path disclosure attacks.

F-Secure Policy Manager versions 7.x, 8.x and 9.x

• http://secunia.com/advisories/43049
• http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2011-2.html
• http://www.securitytracker.com/id?1025124

---

Updated on 2015-03-25