Summary
Scalix Web Access is prone to an XML External Entity injection and to a Cross Site Scripting vulnerability.
Impact
Attackers can exploit the XML External Entity Injection to obtain potentially sensitive information. This may lead to further attacks. An attacker may leverage the Cross Site Scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Solution
Ask the Vendor for an update.
Affected
Scalix Web Access versions 11.4.6.12377, and 12.2.0.14697 are vulnerable.
Detection
Check the version
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-9352, CVE-2014-9360 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities
- Adobe Digital Edition Information Disclosure Vulnerability (Mac OS X)
- Adobe Flash Player/Air Multiple Vulnerabilities -feb10 (Linux)
- Adobe Reader Multiple Vulnerabilities - Aug07 (Linux)
- Adobe Flash Player/Air Multiple Vulnerabilities -feb10 (Win)
- Asterisk CIDR Notation in Access Rule Remote Security Bypass Vulnerability