Security Advisory: Content Gateway: XSS via Host Header Injection Vulnerability (CVE-2019-6146)
Summary
This Security Advisory describes the XSS via Host Header Injection vulnerability and its potential effect on Forcepoint products.
Information
Forcepoint acknowledges Prasenjit Kanti Paul for bringing this to our attention.Published date: January 21, 2020
Last update: N/A
Security Advisory status: Published
Security Advisory severity: High
CVE numbers:
CVE-2019-6146
Security Advisory summary
The Forcepoint Product Security Incident Response Team (PSIRT) is investigating the following security vulnerability and its impact on Forcepoint products. This article will be updated when fixes are completed.
It has been reported that cross-site scripting (XSS) is possible in Forcepoint Web Security, version 8.x, via host header injection.
Products under review
Assessments are underway.
Affected products
Forcepoint Web Security (formerly TRITON AP-WEB) and Web Security Gateway
Not vulnerable
Assessments are underway.
Resolution
WorkaroundsThere are no workarounds at this time. Customers using Web Security version 8.4 or earlier are strongly encouraged to upgrade to version 8.5 or higher.
Hotfix and information about other fixes
This vulnerability has been resolved in Web Security Content Gateway with the release of Forcepoint Web Security v8.5.4.
A Web Security hotfix (8.5 HF 11), released on January 20, 2020, has resolved this vulnerability for Forcepoint Web Security v8.5. Please contact Technical Support for access to this hotfix.
A Web Security hotfix (8.5.3 HF 07), released on February 18, 2020, has resolved this vulnerability for Forcepoint Web Security v8.5.3. Please contact Technical Support for access to this hotfix.
This Security Advisory will be updated as necessary.