Reflected XSS Vulnerability in Web Isolation
SUMMARY
Symantec Web Isolation (WI) is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker can target end users protected by WI with social engineering attacks using crafted URLs for legitimate web sites. A successful attack allows injecting malicious JavaScript code into the website’s rendered copy running inside the end user’s web browser. It does not allow injecting code into the real (isolated) copy of the website running on the WI Threat Isolation Engine.
AFFECTED PRODUCTS
Web Isolation | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2018-12246 | 1.10 and earlier | Not vulnerable |
1.11 | Upgrade to 1.11.21. |
ADDITIONAL PRODUCT INFORMATION
Symantec Web Isolation is only vulnerable when configured in Portal Isolation mode.
ISSUES
CVE-2018-12246 | |
---|---|
Severity / CVSSv3 | Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |
References | SecurityFocus: BID 105581 / NVD: CVE-2018-12246 |
Impact | Cross-site scripting (XSS) |
Description | A reflected cross-site scripting (XSS) vulnerability in Web Isolation allows a remote attacker to target end users protected by Web Isolation with phishing attacks and other social engineering techniques using crafted URLs for legitimate websites. A successful attack allows injecting malicious JavaScript code into the website’s rendered copy running inside the end user’s web browser. It does not allow injecting code into the real (isolated) copy of the website running on the Web Isolation Threat Isolation Engine. |
REFERENCES
JVN#58005743 - https://jvn.jp/en/jp/JVN58005743/
REVISION
2018-10-22 Added reference to JVN#58005743.
2018-10-16 initial public release