KB Article | Forcepoint Support

Problem Description

Forcepoint acknowledges Prasenjit Kanti Paul for bringing this to our attention. 

Published Date: January 21, 2020

Last Update: N/A
KBA Status: Published
KBA Severity: High
CVE Numbers:
CVE-2019-6146
 
KBA Summary
The Forcepoint Product Security Incident Response Team (PSIRT) is investigating the following security vulnerability and its impact on Forcepoint products. This article will be updated when fixes are completed.

It has been reported that cross-site scripting (XSS) is possible in Forcepoint Web Security, version 8.x, via host header injection. 

Products Under Review​ 
Assessments are underway.

Affected Products
Forcepoint Web Security (formerly TRITON AP-WEB)  and Web Security Gateway

Not Vulnerable
Assessments are underway.

Resolution

Workarounds
There are no workarounds at this time. Customers using Web Security version 8.4 or earlier are strongly encouraged to upgrade to version 8.5 or higher. 

Hotfix and Information About Other Fixes
This vulnerability will be resolved in Web Security Content Gateway with the release of Forcepoint Web Security v8.5.4 later this year. 

A Web Security hotfix (8.5 HF 11), released on January 20, 2020, will resolve this vulnerability for Forcepoint Web Security v8.5. Please contact Technical Support for access to this hotfix.

A Web Security hotfix (8.5.3 HF 07), released on February 18, 2020, will resolve this vulnerability for Forcepoint Web Security v8.5.3. Please contact Technical Support for access to this hotfix.

This article will be updated as necessary. 

Article Feedback



Thank you for the feedback and comments.