中文描述:

Secure Computing CipherTrust IronMail 6.1.1版本的管理控制台中存在多个跨站脚本攻击漏洞。远程攻击者可以借助提交到(a)admin/system_IronMail.do的(1)网络,(2)defRouterIp,(3)主机名,(4)域名,(5)ip地址,(6)默认路由器,(7)dns1或(8)dns2参数；到(b)admin/systemOutOfBand.do的(9)ip地址参数；到(c)admin/systemBackup.do的(10)密码或(11)密码确认参数；到(d)admin/systemLicenseManager.do的(12)Klicense参数；到(e) admin/systemWebAdminConfig.do的(13)rows[1].attrValueStr或(14)rows[2].attrValueStr参数；到(f)admin/ldap_ConfigureServiceProperties.do的(15)rows[0].attrValueStr,rows[1].attrValueStr,(16)rows[2].attrValue,或(17)rows[2].attrValueStrClone参数；到(g) admin/mailFirewall_MailRoutingInternal.do的(18)input1参数；或到(h)admin/mailIdsConfig.do的(19)rows[2].attrValueStr,(20)rows[3].attrValueStr,(21)rows[5].attrValueStr或(22)rows[6].attrValueStr参数，注入任意的web脚本或HTML。

英文描述:

Multiple cross-site scripting (XSS) vulnerabilities in the administration console in Secure Computing CipherTrust IronMail 6.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) network, (2) defRouterIp, (3) hostName, (4) domainName, (5) ipAddress, (6) defaultRouter, (7) dns1, or (8) dns2 parameter to (a) admin/system_IronMail.do; the (9) ipAddress parameter to (b) admin/systemOutOfBand.do; the (10) password or (11) confirmPassword parameter to (c) admin/systemBackup.do; the (12) Klicense parameter to (d) admin/systemLicenseManager.do; the (13) rows[1].attrValueStr or (14) rows[2].attrValueStr parameter to (e) admin/systemWebAdminConfig.do; the (15) rows[0].attrValueStr, rows[1].attrValueStr, (16) rows[2].attrValue, or (17) rows[2].attrValueStrClone parameter to (f) admin/ldap_ConfigureServiceProperties.do; the (18) input1 parameter to (g) admin/mailFirewall_MailRoutingInternal.do; or the (19) rows[2].attrValueStr, (20) rows[3].attrValueStr, (21) rows[5].attrValueStr, or (22) rows[6].attrValueStr parameter to (h) admin/mailIdsConfig.do.

CWE类型:

标签:

中文解决方案:

英文解决方案:

临时解决方案: