Vulnerability Details : CVE-2014-2879
Multiple cross-site scripting (XSS) vulnerabilities in Dell SonicWALL Email Security 7.4.5 and earlier allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the uploadPatch parameter to the System/Advanced page (settings_advanced.html) or (2) the uploadLicenses parameter in the License management (settings_upload_dlicense.html) page.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2014-2879
Probability of exploitation activity in the next 30 days: 0.35%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 68 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-2879
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2014-2879
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2879
-
http://www.securitytracker.com/id/1029965
SonicWALL Email Security Input Validation Flaw in 'License Management' and 'Advanced' Pages Permits Cross-Site Scripting Attacks - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/archive/1/531642/100/0/threaded
SecurityFocus
-
http://seclists.org/fulldisclosure/2014/Mar/409
Full Disclosure: Dell SonicWall EMail Security 7.4.5 - Multiple Vulnerabilities (Bulletin)Exploit;Mailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/66501
Dell SonicWall EMail Security Appliance Multiple HTML Injection VulnerabilitiesThird Party Advisory;VDB Entry
-
http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf
Page Not FoundBroken Link
-
http://www.vulnerability-lab.com/get_content.php?id=1191
Exploit
Products affected by CVE-2014-2879
- cpe:2.3:a:sonicwall:email_security_appliance:*:*:*:*:*:*:*:*