Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800, versions 3.6.x to 3.8.3, contain multiple vulnerabilities.
Cross-Site Request Forgery (CSRF) – CVE-2015-2852
Blue Coat SSL Visibility Appliance contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.
Session Fixation – CVE-2015-2853
A user’s session ID is set prior to authentication, and is not invalidated or changed at the time of authentication. An attacker capable of obtaining or setting a session ID can hijack a victim user’s session.
Improper Input Validation – CVE-2015-2854
Blue Coat SSL Visibility Appliance does not enforce same origin policy in X-Frame-Options response headers. An attacker can conduct clickjacking attacks via a crafted web page.
Information Exposure – CVE-2015-2855
Sensitive cookies do not have either the Secure or HttpOnly flags set. An attacker capable of sniffing network traffic can intercept or manipulate a victim user’s session ID.
