CVE-2008-0971

Barracuda Message Archiver

Severity Score

3.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in Barracuda Spam Firewall (BSF) before 3.5.12.007, Message Archiver before 1.2.1.002, Web Filter before 3.3.0.052, IM Firewall before 3.1.01.017, and Load Balancer before 2.3.024 allow remote attackers to inject arbitrary web script or HTML via (1) the Policy Name field in Search Based Retention Policy in Message Archiver; unspecified parameters in the (2) IP Configuration, (3) Administration, (4) Journal Accounts, (5) Retention Policy, and (6) GroupWise Sync components in Message Archiver; (7) input to search operations in Web Filter; and (8) input used in error messages and (9) hidden INPUT elements in (a) Spam Firewall, (b) IM Firewall, and (c) Web Filter.

Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en index.cgi en Barracuda Spam Firewall (BSF) anterior a 3.5.12.007, Message Archiver anterior a 1.2.1.002, Web Filter anterior a 3.3.0.052, IM Firewall anterior a 3.1.01.017, y Load Balancer anterior a 2.3.024 permiten a atacantes remotos inyectar HTML o secuencias de comandos web arbitrarias a través de:
(1) El campo nombre de política en la opción Buscar Política de Retención en Message Archiver

Y a través de parámetros sin especificar en el (2) la configuración de la IP, (3) Administración (4), Journal Accounts (5), política de retención, y (6) Componentes GroupWise Sync en Message Archiver

También a través de (7) la introducción de datos en operaciones de búsqueda en Web Filter, y (8) la entrada utilizada en los mensajes de error y (9) en los elementos INPUT escondidos en (a) Spam Firewall, (b) IM Firewall, y (c) Web Filter.

The Barracuda Networks Message Archiver product is vulnerable to persistent and reflect cross site scripting attacks.

*Credits: N/A

CVSS Scores

NISTv2 3.5

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2008-02-25 CVE Reserved
2008-12-16 CVE Published
2023-03-07 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (7)

URL	Tag	Source
http://dcsl.ul.ie/advisories/03.htm	X_refsource_misc
http://securityreason.com/securityalert/4792	Third Party Advisory
http://securitytracker.com/id?1021454	Vdb Entry
http://www.osvdb.org/50709	Vdb Entry
http://www.securityfocus.com/archive/1/499294/100/0/threaded	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://secunia.com/advisories/33164	2018-10-15
http://www.barracudanetworks.com/ns/support/tech_alert.php	2018-10-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Barracuda Networks Search vendor "Barracuda Networks"		Barracuda Im Firewall Search vendor "Barracuda Networks" for product "Barracuda Im Firewall"				<= 3.0.01.008 Search vendor "Barracuda Networks" for product "Barracuda Im Firewall" and version " <= 3.0.01.008"		-		Affected
Barracuda Networks Search vendor "Barracuda Networks"		Barracuda Load Balancer Search vendor "Barracuda Networks" for product "Barracuda Load Balancer"				<= 2.2.006 Search vendor "Barracuda Networks" for product "Barracuda Load Balancer" and version " <= 2.2.006"		-		Affected
Barracuda Networks Search vendor "Barracuda Networks"		Barracuda Message Archiver Search vendor "Barracuda Networks" for product "Barracuda Message Archiver"				<= 1.1.0.010 Search vendor "Barracuda Networks" for product "Barracuda Message Archiver" and version " <= 1.1.0.010"		-		Affected
Barracuda Networks Search vendor "Barracuda Networks"		Barracuda Spam Firewall Search vendor "Barracuda Networks" for product "Barracuda Spam Firewall"				<= 3.5.11.020 Search vendor "Barracuda Networks" for product "Barracuda Spam Firewall" and version " <= 3.5.11.020"		-		Affected
Barracuda Networks Search vendor "Barracuda Networks"		Barracuda Web Filter Search vendor "Barracuda Networks" for product "Barracuda Web Filter"				<= 3.3.0.038 Search vendor "Barracuda Networks" for product "Barracuda Web Filter" and version " <= 3.3.0.038"		-		Affected