cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1961
Views
5
Helpful
4
Replies

YUI vulnerability on ESA and SMA!!!

spacemeb
Level 1
Level 1

Screenshot_20211211-225243_Email.jpg

 this yui version is also running at 14.x version of WSA/ESA/SMA. Right now yui has released 3.6 version and cisco is running what??!!

there are multiple bugs mention this vulnerability but for very old versions like 9.x

 

is this valid?? Are there any fixes?!

1 Accepted Solution

Accepted Solutions

Hello,

 

Thank you for providing the CVE and defects. While YUI may still be used on later builds, we modified some of the back-end files to no longer impact our product. It has been fixed starting in the Known Fixed Releases listed in the respective defect. 

 

You can also confirm any 3rd party software in use by reviewing our Open Source release notes.

 

https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-release-notes-list.html

 

Thanks!

-Dennis M.

View solution in original post

4 Replies 4

dmccabej
Cisco Employee
Cisco Employee

Hello,

 

It does not look like you have provided a CVE or any Cisco bugs. This would be important information for any vulnerability you're looking for details on.

 

Also, where did you obtain the screenshot from? Is this a scanner you ran? If so, against what?

 

Thanks!

-Dennis M.

spacemeb
Level 1
Level 1

Hello,

Thanks for your reply!

I saw multiple bugs reported for older versiosn: 

CVE-2013-6780

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur89626?rfs=iqvred

 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur44409?rfs=iqvred

 

 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur89624?rfs=iqvred

 

Yes, the SS is from our scanner.

Kind Regards

spacemeb
Level 1
Level 1

Hi again, 

 

I tried to replicate the behavior of the XSS but It didn't succeed, I suppose because it has been fixed (?). 


http(s)://domain.com/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert('XSS');}//

Hello,

 

Thank you for providing the CVE and defects. While YUI may still be used on later builds, we modified some of the back-end files to no longer impact our product. It has been fixed starting in the Known Fixed Releases listed in the respective defect. 

 

You can also confirm any 3rd party software in use by reviewing our Open Source release notes.

 

https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-release-notes-list.html

 

Thanks!

-Dennis M.