Detections
Analytics

Barracuda Spam Firewall ldap_test.cgi Cross-Site Scripting Vulnerability

medium Nessus Network Monitor Plugin ID 4518

Synopsis

The remote web server contains a CGI script that is affected by a cross-site scripting vulnerability.

Description

According to its firmware version, the remote Barracuda Spam Firewall device fails to filter input to the 'email' parameter of the '/cgi-bin/ldap_test.cgi' script before using it to generate dynamic content. An unauthenticated remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.

Solution

Either configure the device to limit access to the web management application by IP address or update to firmware release 3.5.11.025 or later.

See Also

http://www.barracudanetworks.com/ns/support/tech_alert.php

http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0566.html

Plugin Details

Severity: Medium

ID: 4518

Family: Web Servers

Published: 8/18/2004

Updated: 3/6/2019

Nessus ID: 32434

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/h:barracuda_networks:barracuda_spam_firewall

Reference Information

CVE: CVE-2008-2333

BID: 29340