SUMMARY

A cross-site scripting (XSS) vulnerability has been reported in the handling of the URL that loads Certificate Revocation Lists into the appliance via the management console. If the URL is malformed in certain ways, the malformed text is treated as HTML and displayed to the user, instead of an error message being generated.

MITIGATION

A workaround is for administrators to never visit any untrusted site while logged into the ProxySG management console.

ACKNOWLEDGEMENTS

Blue Coat Systems wishes to thank Adrian Pastor of ProCheckUp for working with us to resolve this issue.