cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.2-020
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-239
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

712
Views
5
Helpful
4
Replies
spacemeb
Beginner

YUI vulnerability on ESA and SMA!!!

Screenshot_20211211-225243_Email.jpg

 this yui version is also running at 14.x version of WSA/ESA/SMA. Right now yui has released 3.6 version and cisco is running what??!!

there are multiple bugs mention this vulnerability but for very old versions like 9.x

 

is this valid?? Are there any fixes?!

1 ACCEPTED SOLUTION

Accepted Solutions

Hello,

 

Thank you for providing the CVE and defects. While YUI may still be used on later builds, we modified some of the back-end files to no longer impact our product. It has been fixed starting in the Known Fixed Releases listed in the respective defect. 

 

You can also confirm any 3rd party software in use by reviewing our Open Source release notes.

 

https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-release-notes-list.html

 

Thanks!

-Dennis M.

View solution in original post

4 REPLIES 4
dmccabej
Cisco Employee

Hello,

 

It does not look like you have provided a CVE or any Cisco bugs. This would be important information for any vulnerability you're looking for details on.

 

Also, where did you obtain the screenshot from? Is this a scanner you ran? If so, against what?

 

Thanks!

-Dennis M.

spacemeb
Beginner

Hello,

Thanks for your reply!

I saw multiple bugs reported for older versiosn: 

CVE-2013-6780

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur89626?rfs=iqvred

 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur44409?rfs=iqvred

 

 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur89624?rfs=iqvred

 

Yes, the SS is from our scanner.

Kind Regards

spacemeb
Beginner

Hi again, 

 

I tried to replicate the behavior of the XSS but It didn't succeed, I suppose because it has been fixed (?). 


http(s)://domain.com/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert('XSS');}//

Hello,

 

Thank you for providing the CVE and defects. While YUI may still be used on later builds, we modified some of the back-end files to no longer impact our product. It has been fixed starting in the Known Fixed Releases listed in the respective defect. 

 

You can also confirm any 3rd party software in use by reviewing our Open Source release notes.

 

https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-release-notes-list.html

 

Thanks!

-Dennis M.

Create
Recognize Your Peers
Content for Community-Ad