CVE-2016-9099 - Vulnerability Details - OpenCVE

Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 prior to 6.7.2.1, ProxySG 6.5 prior to 6.5.10.6, ProxySG 6.6, and ProxySG 6.7 prior to 6.7.2.1 are susceptible to an open redirection vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to redirect the target user to a malicious web site.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Broadcom	Advanced Secure Gateway Symantec Proxysg

Configuration 1 [-]

cpe:2.3:a:broadcom:advanced_secure_gateway:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:broadcom:symantec_proxysg:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:broadcom:advanced_secure_gateway:6.6:*:*:*:*:*:*:*

Configuration 4 [-]

cpe:2.3:a:broadcom:symantec_proxysg:6.6:*:*:*:*:*:*:*

Configuration 5 [-]

cpe:2.3:a:broadcom:symantec_proxysg:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/102455
http://www.securitytracker.com/id/1040138
https://www.symantec.com/security-center/network-protection-security-advisories/SA155

History

No history.

MITRE

Status: PUBLISHED

Assigner: symantec

Published: 2017-05-11T14:01:00Z

Updated: 2024-09-16T22:40:30.815Z

Reserved: 2016-10-28T00:00:00

Link: CVE-2016-9099

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-05-11T14:30:16.407

Modified: 2024-11-21T03:00:35.660

Link: CVE-2016-9099

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ASG", "vendor": "Symantec Corporation", "versions": [{"status": "affected", "version": "6.6"}, {"status": "affected", "version": "6.7 prior to 6.7.2.1"}]}, {"product": "ProxySG", "vendor": "Symantec Corporation", "versions": [{"status": "affected", "version": "6.5 prior to 6.5.10.6"}, {"status": "affected", "version": "6.6"}, {"status": "affected", "version": "6.7 prior to 6.7.2.1"}]}], "datePublic": "2018-01-09T00:00:00", "descriptions": [{"lang": "en", "value": "Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 prior to 6.7.2.1, ProxySG 6.5 prior to 6.5.10.6, ProxySG 6.6, and ProxySG 6.7 prior to 6.7.2.1 are susceptible to an open redirection vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to redirect the target user to a malicious web site."}], "problemTypes": [{"descriptions": [{"description": "Open redirection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-11T10:57:01", "orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec"}, "references": [{"name": "102455", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102455"}, {"name": "1040138", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1040138"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@symantec.com", "DATE_PUBLIC": "2018-01-09T00:00:00", "ID": "CVE-2016-9099", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ASG", "version": {"version_data": [{"version_value": "6.6"}, {"version_value": "6.7 prior to 6.7.2.1"}]}}, {"product_name": "ProxySG", "version": {"version_data": [{"version_value": "6.5 prior to 6.5.10.6"}, {"version_value": "6.6"}, {"version_value": "6.7 prior to 6.7.2.1"}]}}]}, "vendor_name": "Symantec Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 prior to 6.7.2.1, ProxySG 6.5 prior to 6.5.10.6, ProxySG 6.6, and ProxySG 6.7 prior to 6.7.2.1 are susceptible to an open redirection vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to redirect the target user to a malicious web site."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Open redirection"}]}]}, "references": {"reference_data": [{"name": "102455", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102455"}, {"name": "1040138", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1040138"}, {"name": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155", "refsource": "CONFIRM", "url": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:42:10.150Z"}, "title": "CVE Program Container", "references": [{"name": "102455", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/102455"}, {"name": "1040138", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1040138"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155"}]}]}, "cveMetadata": {"assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "assignerShortName": "symantec", "cveId": "CVE-2016-9099", "datePublished": "2017-05-11T14:01:00Z", "dateReserved": "2016-10-28T00:00:00", "dateUpdated": "2024-09-16T22:40:30.815Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:advanced_secure_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "08D3C0DC-195F-4035-805E-CDF610BC782E", "versionEndExcluding": "6.7.2.1", "versionStartIncluding": "6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:symantec_proxysg:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EB38BF8-32F4-45F5-8681-60BE4A209EF7", "versionEndExcluding": "6.5.10.6", "versionStartIncluding": "6.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:advanced_secure_gateway:6.6:*:*:*:*:*:*:*", "matchCriteriaId": "A541B285-4265-4AED-80FC-AE02C1372645", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:symantec_proxysg:6.6:*:*:*:*:*:*:*", "matchCriteriaId": "004F99F2-E750-4FC5-A2A6-65FD1C918676", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:symantec_proxysg:*:*:*:*:*:*:*:*", "matchCriteriaId": "D80D6174-972A-4E47-ABAA-1B53D03221E7", "versionEndExcluding": "6.7.2.1", "versionStartIncluding": "6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 prior to 6.7.2.1, ProxySG 6.5 prior to 6.5.10.6, ProxySG 6.6, and ProxySG 6.7 prior to 6.7.2.1 are susceptible to an open redirection vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to redirect the target user to a malicious web site."}, {"lang": "es", "value": "Advanced Secure Gateway (ASG) versi\u00f3n 6.6, ASG versiones 6.7 anteriores a 6.7.2.1, ProxySG versiones 6.5 anteriores a 6.5.10.6, ProxySG versi\u00f3n 6.6 y ProxySG versiones 6.7 anteriores a 6.7.2.1 de Symantec, son susceptibles a una vulnerabilidad de redireccionamiento abierto. Un atacante remoto puede usar una URL dise\u00f1ada de la consola de administraci\u00f3n en un ataque de phishing para redireccionar al usuario destino hacia un sitio web malicioso."}], "id": "CVE-2016-9099", "lastModified": "2024-11-21T03:00:35.660", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-11T14:30:16.407", "references": [{"source": "secure@symantec.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102455"}, {"source": "secure@symantec.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1040138"}, {"source": "secure@symantec.com", "tags": ["Vendor Advisory"], "url": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102455"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1040138"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.symantec.com/security-center/network-protection-security-advisories/SA155"}], "sourceIdentifier": "secure@symantec.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}