CVE-2015-2773
https://notcve.org/view.php?id=CVE-2015-2773
SVM in Websense TRITON V-Series appliances before 8.0.0 allows attackers to read arbitrary files via unspecified vectors. SVM en los dispositivos de la serie V de Websense TRITON anterior a 8.0.0 permite a atacantes leer ficheros arbitrarios a través de vectores no especificados. • http://www.securityfocus.com/bid/73406 http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 •
CVE-2015-2747
https://notcve.org/view.php?id=CVE-2015-2747
Multiple cross-site scripting (XSS) vulnerabilities in the data loss prevention (DLP) incident Forensics Preview in Websense Triton 7.8.3 and V-Series 7.7 appliances allow remote attackers to inject arbitrary web script or HTML via a crafted (1) email or (2) HTTP request, which triggers a DLP Policy. Múltiples vulnerabilidades de XSS en la previsualización del análisis forense de incidentes de Data Loss Prevention (DLP) en Websense Triton 7.8.3 y las aplicaciones de la serie V 7.7 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de una solicitud (1) email o (2) HTTP manipulada que provoca una política DLP. • http://packetstormsecurity.com/files/130897/Websense-Data-Security-DLP-Incident-Forensics-Preview-XSS.html http://seclists.org/fulldisclosure/2015/Mar/102 http://www.securityfocus.com/archive/1/534908/100/0/threaded https://www.securify.nl/advisory/SFY20140904/websense_data_security_dlp_incident_forensics_preview_is_vulnerable_to_cross_site_scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-2746 – Websense Appliance Manager - Command Injection
https://notcve.org/view.php?id=CVE-2015-2746
The network diagnostics tool (CommandLineServlet) in the Appliance Manager command line utility (CLU) in Websense TRITON 7.8.3 and V-Series appliances before 7.8.4 Hotfix 02 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the "second" parameter of a command, as demonstrated by the Destination parameter in the ping command. La herramienta de la diagnóstica de la red (CommandLineServlet) la utilidad de líneas de comandos (CLU) de Appliance Manager en Websense TRITON 7.8.3 y las aplicaciones de la serie V anterior a 7.8.4 Hotfix 02 permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través de metacaracteres de shell en el parámetro 'second' de un comando, tal y como fue demostrado por el parámetro Destination en el comando ping. • https://www.exploit-db.com/exploits/36423 http://packetstormsecurity.com/files/130899/Websense-Appliance-Manager-Command-Injection.html http://seclists.org/fulldisclosure/2015/Mar/104 http://www.securityfocus.com/archive/1/534910/100/0/threaded http://www.websense.com/support/article/kbarticle/October-2014-Hotfix-Summary-for-Websense-Solutions https://www.securify.nl/advisory/SFY20140906/command_injection_vulnerability_in_network_diagnostics_tool_of_websense_appliance_manager.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2015-2748
https://notcve.org/view.php?id=CVE-2015-2748
Websense TRITON AP-WEB before 8.0.0 does not properly restrict access to files in explorer_wse/, which allows remote attackers to obtain sensitive information via a direct request to a (1) Web Security incident report or the (2) Explorer configuration (websense.ini) file. Websense TRITON AP-WEB anterior a 8.0.0 no restringe correctamente el acceso a ficheros en explorer_wse/, lo que permite a atacantes remotos obtener información sensible a través de una solicitud directa a (1) un informe de incidentes de Web Security o (2) el fichero de configuración de Explorer (websense.ini). • http://packetstormsecurity.com/files/130901/Websense-Explorer-Missing-Access-Control.html http://seclists.org/fulldisclosure/2015/Mar/107 http://www.securityfocus.com/archive/1/534913/100/0/threaded http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 https://www.securify.nl/advisory/SFY20140909/missing_access_control_on_websense_explorer_web_folder.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2015-2702
https://notcve.org/view.php?id=CVE-2015-2702
Cross-site scripting (XSS) vulnerability in the Message Log in the Email Security Gateway in Websense TRITON AP-EMAIL before 8.0.0 and V-Series 7.7 appliances allows remote attackers to inject arbitrary web script or HTML via the sender address in an email. Vulnerabilidad de XSS en el registro de mensajes en el componente Email Security Gateway en Websense TRITON AP-EMAIL anterior a 8.0.0 y las aplicaciones de la serie V 7.7 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de la dirección de envío en un email. • http://packetstormsecurity.com/files/130898/Websense-Email-Security-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Mar/103 http://www.securityfocus.com/archive/1/534909/100/0/threaded http://www.securityfocus.com/bid/73345 http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 https://www.securify.nl/advisory/SFY20140905/websense_email_security_vulnerable_to_persistent_cross_site_scripting_in_audit_log_details_view.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •