header-logo
Suggest Exploit
vendor:
Websense Enterprise
by:
SecurityFocus
8.8
CVSS
HIGH
Cross-site Scripting
79
CWE
Product Name: Websense Enterprise
Affected Version From: Websense Enterprise 5.1.1
Affected Version To: Websense Enterprise 5.1.1
Patch Exists: YES
Related CWE: CVE-2002-1390
CPE: a:websense:websense_enterprise
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2002

Websense Enterprise Cross-site Scripting Vulnerability

Websense Enterprise is vulnerable to Cross-site Scripting attacks when it displays error pages for blocked sites without sufficiently sanitizing HTML and script code from the blocked site URI. This could allow an attacker to inject malicious code into the error page, which could be executed when a victim user visits the link. This could lead to the theft of cookie-based authentication credentials or other malicious activities.

Mitigation:

Websense Enterprise should sanitize HTML and script code from the blocked site URI before displaying the error page.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9149/info

Websense Enterprise displays error pages for blocked sites without sufficiently sanitizing HTML and script code from the blocked site URI. This could allow for cross-site scripting attacks if a victim user visits a link to a blocked site that includes hostile HTML and script code. Exploitation could permit theft of cookie-based authentication credentials or other consequences. 

http://[BlockedSite]?<SCRIPT>alert('hello')</SCRIPT>

Navigation

Suggest Exploit

Services By CQR