Symantec Web Security: Multiple Vulnerabilities

Security vendor Symantec has released a patch and details on newly disclosed vulnerabilities in Symantec Web Security that impact all versions of SWS prior to 3.0.1.85. The advisory, SYM07-001, explains that "A Cross Site Scripting Vulnerability and a denial of service (DoS) vulnerability have been discovered in the Symantec Web Security (SWS) products." Possible ramifications are as follows:

Excerpted from SYM07-001:

(Cross Site Scripting Vulnerability) An attacker could potentially embed malicious scripts commands into certain specific URLs, which the client browser would execute in the context specified in the malicious command.

(DoS Vulnerability) A denial of service vulnerability has also been identified. An unauthorized user can use the license registering interface and submit a very large file to Symantec Web Security. If the unauthorized user attempted to upload an extremely large file, the subsequent processing could slow the system creating a denial of service.

Symantec has rated the overall risk of the vulnerabilities as a Medium level threat. For further details and to download the patch, see SYM07-001: Symantec Web Security Multiple Vulnerability