CVE-2015-2702
https://notcve.org/view.php?id=CVE-2015-2702
Cross-site scripting (XSS) vulnerability in the Message Log in the Email Security Gateway in Websense TRITON AP-EMAIL before 8.0.0 and V-Series 7.7 appliances allows remote attackers to inject arbitrary web script or HTML via the sender address in an email. Vulnerabilidad de XSS en el registro de mensajes en el componente Email Security Gateway en Websense TRITON AP-EMAIL anterior a 8.0.0 y las aplicaciones de la serie V 7.7 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de la dirección de envío en un email. • http://packetstormsecurity.com/files/130898/Websense-Email-Security-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Mar/103 http://www.securityfocus.com/archive/1/534909/100/0/threaded http://www.securityfocus.com/bid/73345 http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 https://www.securify.nl/advisory/SFY20140905/websense_email_security_vulnerable_to_persistent_cross_site_scripting_in_audit_log_details_view.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-2703
https://notcve.org/view.php?id=CVE-2015-2703
Multiple cross-site scripting (XSS) vulnerabilities in Websense TRITON AP-WEB before 8.0.0 and V-Series 7.7 appliances allow remote attackers to inject arbitrary web script or HTML via the (1) ws-userip in the ws-encdata parameter to cve-bin/moreBlockInfo.cgi in the Data Security block page or (2) admin_msg parameter to configure/ssl_ui/eva-config/client-cert-import_wsoem.html in the Content Gateway, which is not properly handled in an error message. Múltiples vulnerabilidades de XSS en Websense TRITON AP-WEB anterior a 8.0.0 y las aplicaciones de la serie V 7.7 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través (1) dews-userip en el parámetro ws-encdata en cve-bin/moreBlockInfo.cgi en la página de bloqueo de la seguridad de datos o (2) del parámetro admin_msg en configure/ssl_ui/eva-config/client-cert-import_wsoem.html en Content Gateway, los cuales no se manejan correctamente en un mensaje de error. • http://packetstormsecurity.com/files/130902/Websense-Data-Security-Cross-Site-Scripting.html http://packetstormsecurity.com/files/130908/Websense-Content-Gateway-Error-Message-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Mar/106 http://seclists.org/fulldisclosure/2015/Mar/108 http://www.securityfocus.com/archive/1/534912/100/0/threaded http://www.securityfocus.com/archive/1/534914/100/0/threaded http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Ver • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-0347
https://notcve.org/view.php?id=CVE-2014-0347
The Settings module in Websense Triton Unified Security Center 7.7.3 before Hotfix 31, Web Filter 7.7.3 before Hotfix 31, Web Security 7.7.3 before Hotfix 31, Web Security Gateway 7.7.3 before Hotfix 31, and Web Security Gateway Anywhere 7.7.3 before Hotfix 31 allows remote authenticated users to read cleartext passwords by replacing type="password" with type="text" in an INPUT element in the (1) Log Database or (2) User Directories component. El módulo de configuraciones en Websense Triton Unified Security Center 7.7.3 anterior a Hotfix 31, Web Filter 7.7.3 anterior a Hotfix 31, Web Security 7.7.3 anterior a Hotfix 31, Web Security Gateway 7.7.3 anterior a Hotfix 31 y Web Security Gateway Anywhere 7.7.3 anterior a Hotfix 31 permite a usuarios remotos autenticados leer contraseñas en texto claro mediante la sustitución type="password" con type="text" en un elemento INPUT en el componente (1) Log Database o (2) User Directories. • http://www.kb.cert.org/vuls/id/568252 https://www.websense.com/content/mywebsense-hotfixes.aspx?patchid=894&prodidx=20&osidx=0&intidx=0&versionidx=0 • CWE-255: Credentials Management Errors •
CVE-2009-5131
https://notcve.org/view.php?id=CVE-2009-5131
The Receive Service in Websense Email Security before 7.1 does not recognize domain extensions in the blacklist, which allows remote attackers to bypass intended access restrictions and send e-mail messages via an SMTP session. Receive Service en Websense Email Security anterior a v7.1 no reconoce las extensiones de dominio en una lista negra (blacklist), lo cual permite a atacantes remotos saltarse las restricciones de acceso establecidas y enviar mensajes de correo electrónico a través de una sesión SMTP. • http://www.websense.com/support/article/t-kbarticle/Release-Notes-for-Websense-Email-Security-v7-1 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-5129
https://notcve.org/view.php?id=CVE-2009-5129
The Websense V10000 appliance before 1.0.1 allows remote attackers to cause a denial of service (intermittent LDAP authentication outage) via a login attempt with an incorrect password. Websense V10000 appliance anterior a v1.0.1 permite a atacantes remotos causar una denegación de servicio (Interrupción de Autenticación LDAP intermitente) a través de un intento de acceso con una contraseña incorrecta. • http://kb.websense.com/pf/12/webfiles/V10000%20Documentation/V10000%20Patches/v1.0.1/V10000_v1.0.1_ReleaseNotes.pdf • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •