CVE-2018-18370

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 51.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Broadcom Advanced Secure Gateway Broadcom Symantec Proxysg Symantec Corporation Symantec Advanced Secure Gateway (asg)+1 more

Timeline

PublishedAug 30

Latest updateMay 24

Description

The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser. A stored cross-site scripting (XSS) vulnerability in the WebFTP mode allows a remote attacker to inject malicious JavaScript code in ASG/ProxySG's web listing of a remote FTP server. Exploiting the vulnerability requires the attacker to be able to upload crafted files to the remote FTP server. Affected versions: ASG 6.6 and 6.7 prior to 6.7.4.2; ProxySG…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDbroadcom/symantec_proxysg6.5 — 6.5.10.15+2

▶CVEListV5symantec_corporation/symantec_proxysg6.5 prior to 6.5.10.15, 6.6, 6.7 prior to 6.7.4.2+2

▶NVDbroadcom/advanced_secure_gateway6.7 — 6.7.4.2+1

▶CVEListV5symantec_corporation/symantec_advanced_secure_gateway_(asg)6.6 and 6.7 prior to 6.7.4.2

🔴Vulnerability Details

GHSA

GHSA-m2px-9cv3-x8qj: The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser↗2022-05-24

▶

CVEList

CVE-2018-18370: The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser↗2019-08-29

▶