| SameSite cookie attribute update. |
Sensitive cookies were missing the SameSite attribute, which could allow cross-site request forgery (CSRF). This issue is fixed with a cookies update to include the
SameSite=Lax attribute. |
| Spring Framework denial of service (DoS) vulnerability. |
The product used an outdated Spring Framework version vulnerable to DoS via crafted SpEL expressions (CVE-2022-22950). This issue is fixed with a framework upgrade to a secure
version. |
| Apache Tomcat 7.0.x Security End of Life vulnerability. |
Apache Tomcat 7.0.109 is no longer supported, exposing the system to unresolved security vulnerabilities. This issue is fixed with an upgrade to the latest available version. |
| Spring Security RegexRequestMatcher authorization issue. |
Spring Security versions prior to 5.5.7 and 5.6.4 could allow authorization bypass due to misconfigured regular expressions (CVE-2022-22978). This issue is fixed with an upgrade to
version 5.5.7, 5.6.4, or later. |
| libcurl cookie injection vulnerability. |
libcurl versions prior to 8.4.0 allowed attackers to inject cookies into requests (CVE-2023-38546). This issue is fixed with an upgrade to version 8.4.0 or later. |
| Real Time Monitor cross-site scripting (XSS) vulnerability. |
Real Time Monitor versions prior to 8.5.5 Hotfix 3 were vulnerable to stored XSS in email log entries. This issue is fixed with input sanitization and improved validation based on OWASP
guidance for XSS prevention. |
| Log Database password disclosure in ESG. |
ESG versions prior to 8.5.5 allowed saved database passwords to be exposed through the Log Database status check feature. This issue is fixed with an update to the authentication
mechanism to prevent password leakage. |
| Missing Oracle Java Critical Patch Updates (CPUs) in ESG. |
ESG used a Java version without required Oracle security patches, exposing it to vulnerabilities including CVE-2020-14803, CVE-2021-23841, CVE-2021-3450, CVE-2021-2161, and
CVE-2021-2163. This issue is fixed with an update to a supported Java version that includes all required CPUs. |
| Tomcat version disclosure in Policy Enforcement Module (PEM) and Web Security Module (WSM) application ports. |
A vulnerability in PEM and WSM allowed Tomcat version details to be exposed through unsupported HTTP methods, potentially aiding further attacks. This issue is fixed with an update to
the ServerInfo.properties file to suppress version disclosure. |
| Directory traversal vulnerability in ESG using TIBCO JasperReports Library. |
ESG was using TIBCO JasperReports Library version 6.0.3, which was affected by a directory traversal vulnerability (CVE-2018-18809) that could allow users to access host system contents.
This issue is fixed with an update to version 6.3.5 or later. |
| OpenJDK multiple vulnerabilities. |
ESG was using OpenJDK versions earlier than 8u362, 11.0.18, 17.0.6, and 20.0.1, which are affected by multiple vulnerabilities including CVE-2023-21930, CVE-2023-21937, CVE-2023-21938,
CVE-2023-21939, CVE-2023-21954, CVE-2023-21967, and CVE-2023-21968. This issue is fixed with an update to a supported version of OpenJDK that includes all required security patches. |
| Legacy login page displayed when accessing Forcepoint Security Manager (FSM) using /esg path. |
While accessing FSM with the /esg path, an outdated Websense login page was displayed, which could expose deprecated content. This issue is fixed with an update to
redirect the path to the appropriate interface. |
| Subscription key displayed in plain text on Subscription page |
The subscription key was visible in plain text on the Subscription page under , which could expose sensitive information. This issue is fixed with an update to mask the subscription key from the user interface. |
| Vulnerability in OpenSSL version 1.0.2y on application hosts. |
A vulnerability in OpenSSL 1.0.2y was identified on application hosts, potentially leading to buffer overread and exposure of sensitive memory. This issue is fixed with an update to
OpenSSL 3.014, which addresses the referenced security advisory. |
| Incorrect filename displayed for attachment downloaded from Log Details. |
Downloading a quarantined attachment from the Log Details page showed an incorrect filename, which could affect traceability or misrepresent potentially malicious
content. This issue is fixed with an update to preserve and display the original attachment name accurately. |
| Privilege escalation via unquoted service path in WebsenseEsgStunnel. |
An unquoted service path in the WebsenseEsgStunnel service allowed potential privilege escalation by executing unintended binaries. This issue is fixed with an update to enclose the
service path in quotes to prevent unintended execution. |
| XSS vulnerability through attachment name in Blocked Messages. |
An XSS vulnerability allowed execution of malicious scripts when viewing malicious attachment names in Blocked Messages. This issue is fixed with an update that
sanitizes attachment names to prevent script execution. |
| Input validation issue in PEM login page. |
Input submitted to the PEM login page was reflected in server responses, indicating insufficient input validation. This issue is fixed with an update that properly sanitizes input to
prevent reflection. |