NVD Vulnerability Detail

CVE-2014-2879

Summary	Multiple cross-site scripting (XSS) vulnerabilities in Dell SonicWALL Email Security 7.4.5 and earlier allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the uploadPatch parameter to the System/Advanced page (settings_advanced.html) or (2) the uploadLicenses parameter in the License management (settings_upload_dlicense.html) page.
Publication Date	April 17, 2014, 11:55 p.m.
Registration Date	Jan. 26, 2021, 3:09 p.m.
Last Update	Nov. 21, 2024, 11:07 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:sonicwall:email_security_appliance::::::::			7.4.5

Related information, measures and tools

No	URL	タグ
1	http://seclists.org/fulldisclosure/2014/Mar/409	Exploit Mailing List Third Party Advisory
2	http://seclists.org/fulldisclosure/2014/Mar/409	Exploit Mailing List Third Party Advisory
3	http://www.securityfocus.com/archive/1/531642/100/0/threaded
4	http://www.securityfocus.com/archive/1/531642/100/0/threaded
5	http://www.securityfocus.com/bid/66501	Third Party Advisory VDB Entry
6	http://www.securityfocus.com/bid/66501	Third Party Advisory VDB Entry
7	http://www.securitytracker.com/id/1029965	Third Party Advisory VDB Entry
8	http://www.securitytracker.com/id/1029965	Third Party Advisory VDB Entry
9	http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf	Broken Link
10	http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf	Broken Link
11	http://www.vulnerability-lab.com/get_content.php?id=1191	Exploit
12	http://www.vulnerability-lab.com/get_content.php?id=1191	Exploit

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

Dell SonicWALL Email Security におけるクロスサイトスクリプティングの脆弱性

Title	Dell SonicWALL Email Security におけるクロスサイトスクリプティングの脆弱性
Summary	Dell SonicWALL Email Security には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	リモート認証された管理者により、(1) System/Advanced ページ (settings_advanced.html) の uploadPatch パラメータ、または (2) License management ページ (settings_upload_dlicense.html) の uploadLicenses パラメータを介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 26, 2014, midnight
Registration Date	April 22, 2014, 6:42 p.m.
Last Update	April 22, 2014, 6:42 p.m.

Affected System

デル

Dell SonicWALL Email Security 7.4.5 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-2879	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2879
National Vulnerability Database (NVD)
2	CVE-2014-2879	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2879

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Service Bulletin
1	Dell SonicWALL Email Security Service Bulletin for Scripting Vulnerability	http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf

その他

No	Name	URL
関連文書
1	Dell SonicWall EMail Security 7.4.5 - Multiple Vulnerabilities (Bulletin)	http://seclists.org/fulldisclosure/2014/Mar/409

Change Log

No	Changed Details	Date of change
0	[2014年04月22日] 掲載	Feb. 17, 2018, 10:37 a.m.