CVE-2017-6328 - Vulnerability Details - OpenCVE

The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Symantec	Message Gateway

Configuration 1 [-]

cpe:2.3:a:symantec:message_gateway:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/100136
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00

History

No history.

MITRE

Status: PUBLISHED

Assigner: symantec

Published: 2017-08-11T20:00:00Z

Updated: 2024-09-16T22:19:46.147Z

Reserved: 2017-02-26T00:00:00

Link: CVE-2017-6328

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-08-11T20:29:00.237

Modified: 2024-11-21T03:29:34.303

Link: CVE-2017-6328

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Messaging Gateway", "vendor": "Symantec Corporation", "versions": [{"status": "affected", "version": "All versions prior to version 10.6.3-267"}]}], "datePublic": "2017-08-10T00:00:00", "descriptions": [{"lang": "en", "value": "The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser."}], "problemTypes": [{"descriptions": [{"description": "CSRF", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-12T09:57:01", "orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec"}, "references": [{"name": "100136", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100136"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@symantec.com", "DATE_PUBLIC": "2017-08-10T00:00:00", "ID": "CVE-2017-6328", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Messaging Gateway", "version": {"version_data": [{"version_value": "All versions prior to version 10.6.3-267"}]}}]}, "vendor_name": "Symantec Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CSRF"}]}]}, "references": {"reference_data": [{"name": "100136", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100136"}, {"name": "https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00", "refsource": "CONFIRM", "url": "https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:25:49.165Z"}, "title": "CVE Program Container", "references": [{"name": "100136", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100136"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00"}]}]}, "cveMetadata": {"assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "assignerShortName": "symantec", "cveId": "CVE-2017-6328", "datePublished": "2017-08-11T20:00:00Z", "dateReserved": "2017-02-26T00:00:00", "dateUpdated": "2024-09-16T22:19:46.147Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:symantec:message_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "14960FF1-4537-46E3-BDCE-3970DFAA89D1", "versionEndIncluding": "10.6.3-2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser."}, {"lang": "es", "value": "Symantec Messaging Gateway en versiones anteriores a la 10.6.3-267 puede encontrarse con un problema de tipo cross site request forgery (tambi\u00e9n conocido como ataque en un clic y abreviado como CSRF o XSRF), que es un tipo de exploit malicioso de un sitio web en el que un usuario en el que conf\u00eda la aplicaci\u00f3n web transmite comandos sin autorizaci\u00f3n. Un ataque CSRF intenta explotar la confianza que un sitio web espec\u00edfico tiene en el navegador de un usuario."}], "id": "CVE-2017-6328", "lastModified": "2024-11-21T03:29:34.303", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-11T20:29:00.237", "references": [{"source": "secure@symantec.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100136"}, {"source": "secure@symantec.com", "tags": ["Vendor Advisory"], "url": "https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100136"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00"}], "sourceIdentifier": "secure@symantec.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}