14 DAY TRIAL // A non-persistent cross-site scripting (XSS) vulnerability has been discovered in the Barracuda Spam and Virus Firewall web application, allowing a potential attacker to hijack session information or to execute non-persistent code.
The product is designed as a complete email solution for organizations that want protection against email-borne threats and data leaks.
The current vulnerability, discovered by the research team at Vulnerability Laboratory, affects versions 5.1.3 and earlier of the product. Barracuda Networks has been notified and solved the issue.
In a post, they said that exploiting it “would require the an authenticated user to manipulate his own request to deliver a script payload.”
Vulnerability Laboratory first contacted the developer about the security glitch last year, on November 19. Barracuda responded the next day and then released a patch on July 15, 2014.
As far as the security risk is concerned, this is considered as low, with a CVSS (common vulnerability scoring system) of 2.9, on a scale from zero to ten.
In a proof-of-concept published by Vulnerability Laboratory, an attacker has to authenticate into the interface of the spam and virus firewall, access the Basic tab and copy the payload in the URL. After this, an attacker should see a JavaScript dialog with the session cookies.