Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1828
Views
5
Helpful
4
Replies

YUI vulnerability on ESA and SMA!!!

Go to solution
spacemeb
Level 1
Level 1

‎12-11-2021 01:02 PM - edited ‎12-11-2021 01:07 PM

Screenshot_20211211-225243_Email.jpg

 this yui version is also running at 14.x version of WSA/ESA/SMA. Right now yui has released 3.6 version and cisco is running what??!!

there are multiple bugs mention this vulnerability but for very old versions like 9.x

 

is this valid?? Are there any fixes?!

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to spacemeb

‎12-13-2021 08:14 AM

Hello,

 

Thank you for providing the CVE and defects. While YUI may still be used on later builds, we modified some of the back-end files to no longer impact our product. It has been fixed starting in the Known Fixed Releases listed in the respective defect. 

 

You can also confirm any 3rd party software in use by reviewing our Open Source release notes.

 

https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-release-notes-list.html

 

Thanks!

-Dennis M.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎12-12-2021 06:26 PM

Hello,

 

It does not look like you have provided a CVE or any Cisco bugs. This would be important information for any vulnerability you're looking for details on.

 

Also, where did you obtain the screenshot from? Is this a scanner you ran? If so, against what?

 

Thanks!

-Dennis M.

0 Helpful

Go to solution
spacemeb
Level 1
Level 1

‎12-12-2021 11:04 PM

Hello,

Thanks for your reply!

I saw multiple bugs reported for older versiosn: 

CVE-2013-6780

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur89626?rfs=iqvred

 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur44409?rfs=iqvred

 

 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur89624?rfs=iqvred

 

Yes, the SS is from our scanner.

Kind Regards

0 Helpful

Go to solution
spacemeb
Level 1
Level 1

‎12-13-2021 12:59 AM

Hi again, 

 

I tried to replicate the behavior of the XSS but It didn't succeed, I suppose because it has been fixed (?). 


http(s)://domain.com/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert('XSS');}//

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to spacemeb

‎12-13-2021 08:14 AM

Hello,

 

Thank you for providing the CVE and defects. While YUI may still be used on later builds, we modified some of the back-end files to no longer impact our product. It has been fixed starting in the Known Fixed Releases listed in the respective defect. 

 

You can also confirm any 3rd party software in use by reviewing our Open Source release notes.

 

https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-release-notes-list.html

 

Thanks!

-Dennis M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents