CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2015-2852
https://notcve.org/view.php?id=CVE-2015-2852
Cross-site request forgery (CSRF) vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack the authentication of administrators. Vulnerabilidad de CSRF en el componente WebUI en Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, y SV3800 3.6.x hasta 3.8.x anterior a 3.8.4 permite a atacantes remotos secuestrar la autenticación de administradores. • http://www.kb.cert.org/vuls/id/498348 http://www.securityfocus.com/bid/74921 https://bto.bluecoat.com/security-advisory/sa96 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2015-2853
https://notcve.org/view.php?id=CVE-2015-2853
Session fixation vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack web sessions by providing a session ID. Vulnerabilidad de fijación de sesión en el componente WebUI en Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, y SV3800 3.6.x hasta 3.8.x anterior a 3.8.4 permite a atacantes remotos secuestrar sesiones web mediante la provisión de un identificador de sesión. • http://www.kb.cert.org/vuls/id/498348 http://www.securityfocus.com/bid/74921 https://bto.bluecoat.com/security-advisory/sa96 •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2015-2854
https://notcve.org/view.php?id=CVE-2015-2854
The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via vectors involving an IFRAME element. El componente WebUI en Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, y SV3800 3.6.x hasta 3.8.x anterior a 3.8.4 no envía una cabecera HTTP X-Frame-Options restrictivo, lo que permite a atacantes remotos realizar ataques de clickjacking a través de vectores que involucran un elemento IFRAME. • http://www.kb.cert.org/vuls/id/498348 http://www.securityfocus.com/bid/74921 https://bto.bluecoat.com/security-advisory/sa96 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2015-2855
https://notcve.org/view.php?id=CVE-2015-2855
The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not set the secure flag for the administrator's cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, a different vulnerability than CVE-2015-4138. El componente WebUI en Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, y SV3800 3.6.x hasta 3.8.x anterior a 3.8.4 no configura el indicador de seguro para la cookie del administrador en una sesión htttps, lo que facilita a atacantes remotos capturar esta cookie mediante la intercepción de su transmisión dentro de una sesión http, una vulnerabilidad diferente a CVE-2015-4138. • http://www.kb.cert.org/vuls/id/498348 http://www.securityfocus.com/bid/74921 https://bto.bluecoat.com/security-advisory/sa96 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2015-4138
https://notcve.org/view.php?id=CVE-2015-4138
The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not include the HTTPOnly flag in a Set-Cookie header for the administrator's cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, a different vulnerability than CVE-2015-2855. El componente WebUI en Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, y SV3800 3.6.x hasta 3.8.x anterior a 3.8.4 no incluye el indicador HTTPOnly en una cabecera Set-Cookie para la cookie del administrador, lo que facilita a atacantes remotos obtener información potencialmente sensible a través de el acceso de secuencias de comandos a esta cookie, una vulnerabilidad diferente a CVE-2015-2855. • http://www.kb.cert.org/vuls/id/498348 https://bto.bluecoat.com/security-advisory/sa96 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •