Reflected XSS Vulnerability in Web Isolation

Web Isolation

0 more products

1464

04 May 2021

16 October 2018

CLOSED

MEDIUM

6.1

SUMMARY

 

Symantec Web Isolation (WI) is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker can target end users protected by WI with social engineering attacks using crafted URLs for legitimate web sites. A successful attack allows injecting malicious JavaScript code into the website’s rendered copy running inside the end user’s web browser. It does not allow injecting code into the real (isolated) copy of the website running on the WI Threat Isolation Engine.

AFFECTED PRODUCTS

 

Web Isolation
CVE Affected Version(s) Remediation
CVE-2018-12246 1.10 and earlier Not vulnerable
1.11 Upgrade to 1.11.21.

ADDITIONAL PRODUCT INFORMATION

 

Symantec Web Isolation is only vulnerable when configured in Portal Isolation mode.

ISSUES

 

CVE-2018-12246
Severity / CVSSv3 Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
References SecurityFocus: BID 105581 / NVD: CVE-2018-12246
Impact Cross-site scripting (XSS)
Description A reflected cross-site scripting (XSS) vulnerability in Web Isolation allows a remote attacker to target end users protected by Web Isolation with phishing attacks and other social engineering techniques using crafted URLs for legitimate websites. A successful attack allows injecting malicious JavaScript code into the website’s rendered copy running inside the end user’s web browser. It does not allow injecting code into the real (isolated) copy of the website running on the Web Isolation Threat Isolation Engine.

REFERENCES

 

JVN#58005743 - https://jvn.jp/en/jp/JVN58005743/

REVISION

 

2018-10-22 Added reference to JVN#58005743.
2018-10-16 initial public release