CVE-2008-0971 – Barracuda Message Archiver
https://notcve.org/view.php?id=CVE-2008-0971
Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in Barracuda Spam Firewall (BSF) before 3.5.12.007, Message Archiver before 1.2.1.002, Web Filter before 3.3.0.052, IM Firewall before 3.1.01.017, and Load Balancer before 2.3.024 allow remote attackers to inject arbitrary web script or HTML via (1) the Policy Name field in Search Based Retention Policy in Message Archiver; unspecified parameters in the (2) IP Configuration, (3) Administration, (4) Journal Accounts, (5) Retention Policy, and (6) GroupWise Sync components in Message Archiver; (7) input to search operations in Web Filter; and (8) input used in error messages and (9) hidden INPUT elements in (a) Spam Firewall, (b) IM Firewall, and (c) Web Filter. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en index.cgi en Barracuda Spam Firewall (BSF) anterior a 3.5.12.007, Message Archiver anterior a 1.2.1.002, Web Filter anterior a 3.3.0.052, IM Firewall anterior a 3.1.01.017, y Load Balancer anterior a 2.3.024 permiten a atacantes remotos inyectar HTML o secuencias de comandos web arbitrarias a través de: (1) El campo nombre de política en la opción Buscar Política de Retención en Message Archiver Y a través de parámetros sin especificar en el (2) la configuración de la IP, (3) Administración (4), Journal Accounts (5), política de retención, y (6) Componentes GroupWise Sync en Message Archiver También a través de (7) la introducción de datos en operaciones de búsqueda en Web Filter, y (8) la entrada utilizada en los mensajes de error y (9) en los elementos INPUT escondidos en (a) Spam Firewall, (b) IM Firewall, y (c) Web Filter. The Barracuda Networks Message Archiver product is vulnerable to persistent and reflect cross site scripting attacks. • http://dcsl.ul.ie/advisories/03.htm http://secunia.com/advisories/33164 http://securityreason.com/securityalert/4792 http://securitytracker.com/id?1021454 http://www.barracudanetworks.com/ns/support/tech_alert.php http://www.osvdb.org/50709 http://www.securityfocus.com/archive/1/499294/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-1094 – Barracuda Spam Firewall 3.5.11.020 Model 600 - SQL Injection
https://notcve.org/view.php?id=CVE-2008-1094
SQL injection vulnerability in index.cgi in the Account View page in Barracuda Spam Firewall (BSF) before 3.5.12.007 allows remote authenticated administrators to execute arbitrary SQL commands via a pattern_x parameter in a search_count_equals action, as demonstrated by the pattern_0 parameter. Una vulnerabilidad de inyección SQL en index.cgi en la página de visión de cuentas en Barracuda Spam Firewall (BSF) antes de 3.5.12.007, permite a administradores remotos autenticados ejecutar comandos arbitrarios SQL a través de un parámetro pattern_x en la acción search_count_equals, como lo demuestra el parámetro pattern_0. The Barracuda Networks Spam Firewall is vulnerable to various remote SQL injection attacks. • https://www.exploit-db.com/exploits/7496 http://dcsl.ul.ie/advisories/02.htm http://secunia.com/advisories/33164 http://securityreason.com/securityalert/4793 http://securitytracker.com/id?1021455 http://www.barracudanetworks.com/ns/support/tech_alert.php http://www.securityfocus.com/archive/1/499293/100/0/threaded • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-2333 – Barracuda Spam Firewall 3.5.11 - 'ldap_test.cgi' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-2333
Cross-site scripting (XSS) vulnerability in ldap_test.cgi in Barracuda Spam Firewall (BSF) before 3.5.11.025 allows remote attackers to inject arbitrary web script or HTML via the email parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados enl dap_test.cgi en Barracuda Spam Firewall (BSF) anteriores a 3.5.11.025, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través del parámetro "email". The Barracuda Spam Firewall device web administration interface is vulnerable to a reflected cross site scripting vulnerability which may allow theft of administrative credentials or downloading of malicious content. IRM confirmed the presence of this vulnerability in Barracuda Spam Firewall 600 Firmware 3.5.11.020. The vendor has confirmed the issue exists in all versions prior to 3.5.11.025. • https://www.exploit-db.com/exploits/31828 http://secunia.com/advisories/30362 http://www.barracudanetworks.com/ns/support/tech_alert.php http://www.irmplc.com/index.php/168-Advisory-027 http://www.securityfocus.com/archive/1/492475/100/0/threaded http://www.securityfocus.com/bid/29340 http://www.securitytracker.com/id?1020108 http://www.vupen.com/english/advisories/2008/1627/references https://exchange.xforce.ibmcloud.com/vulnerabilities/42594 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-5058
https://notcve.org/view.php?id=CVE-2007-5058
Cross-site scripting (XSS) vulnerability in the Web administration interface in Barracuda Spam Firewall before firmware 3.5.10.016 allows remote attackers to inject arbitrary web script or HTML via the username field in a login attempt, which is not properly handled when the Monitor Web Syslog screen is open. Una vulnerabilidad de tipo cross-site scripting (XSS) en la interfaz de administración Web en Barracuda Spam Firewall versiones de firmware anteriores a 3.5.10.016, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del campo username en un intento de inicio de sesión, que no es manejado apropiadamente cuando la pantalla Monitor Web Syslog está abierta. • http://osvdb.org/38156 http://secunia.com/advisories/26937 http://securityreason.com/securityalert/3164 http://www.barracudanetworks.com/ns/support/tech_alert.php http://www.infobyte.com.ar/adv/ISR-15.html http://www.securityfocus.com/archive/1/480238/100/0/threaded http://www.securityfocus.com/bid/25757 http://www.securitytracker.com/id?1018733 http://www.vupen.com/english/advisories/2007/3257 https://exchange.xforce.ibmcloud.com/vulnerabilities/36716 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •