Symantec Web Security Multiple Denial of Service And Cross-Site Scripting Vulnerabilities

Bugtraq ID:	22184
Class:	Unknown
CVE:	CVE-2007-0563
Remote:	Yes
Local:	No
Published:	Jan 24 2007 12:00AM
Updated:	May 12 2015 07:35PM
Credit:	Mikko Korppi is credited with the discovery of these issues.
Vulnerable:	Symantec Web Security 3.0.1 build 3.01.68 Symantec Web Security 3.0.1 build 3.01.67 Symantec Web Security 3.0.1 build 3.01.63 Symantec Web Security 3.0.1 build 3.01.62 Symantec Web Security 3.0.1 build 3.01.61 Symantec Web Security 3.0.1 build 3.01.60 Symantec Web Security 3.0.1 build 3.01.59 Symantec Web Security 3.0.1 build 3.0.1.74 Symantec Web Security 3.0.1 build 3.0.1.72 Symantec Web Security 3.0.1 build 3.0.1.70 Symantec Web Security 3.0.1 .70 Symantec Web Security 3.0.1 Build 62 Symantec Web Security 3.0.1 Symantec Web Security 3.0 Symantec Web Security 2.5
Not Vulnerable:	Symantec Web Security 3.0.1 .85

Symantec Web Security Multiple Denial of Service And Cross-Site Scripting Vulnerabilities

Symantec Web Security is prone to a denial-of-service vulnerability and multiple cross-site scripting vulnerabilities. Under certain circumstances, the application will fail to effectively block malicious URIs used in cross-site scripting attacks.

An attacker can exploit these issues to slow system processes, causing denial-of-service conditions or to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Symantec Web Security versions prior to 3.0.1.85 are vulnerable.

Symantec Web Security Multiple Denial of Service And Cross-Site Scripting Vulnerabilities

An attacker can exploit these issues via a web client. To exploit a cross-site scripting vulnerability, the attacker must entice a victim user to follow a malicious URI.