Summary
Scalix Web Access is prone to an XML External Entity injection and to a Cross Site Scripting vulnerability.
Impact
Attackers can exploit the XML External Entity Injection to obtain potentially sensitive information. This may lead to further attacks. An attacker may leverage the Cross Site Scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Solution
Ask the Vendor for an update.
Affected
Scalix Web Access versions 11.4.6.12377, and 12.2.0.14697 are vulnerable.
Detection
Check the version
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-9352, CVE-2014-9360 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities
- Adobe Reader Information Disclosure & Code Execution Vulnerabilities (Linux)
- Adobe Digital Edition Information Disclosure Vulnerability (Windows)
- Adobe Digital Edition Information Disclosure Vulnerability (Mac OS X)
- Asterisk Missing ACL Check Remote Security Bypass Vulnerability
- Apple Safari WebKit Information Disclosure Vulnerability (Mac OS X)