|
Description
|
|
Benjamin Kunz Mejri has reported multiple vulnerabilities in Endian UTM Software Appliance and Endian Firewall Community, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed via the "PROXY_PORT", "VISIBLE_HOSTNAME", and "ADMIN_MAIL_ADDRESS" parameters to cgi-bin/proxyconfig.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are reported in Endian UTM Software Appliance version 2.4.0 and confirmed in Endian Firewall Community version 2.5.1. Other versions may also be affected.
|
