CVE-2019-6146: Cross Site Scripting (XSS) via Host Header Injection | ForcePoint Web Security 8.4 & 8.5

Vulnerability Name: Cross Site Scripting (XSS) vulnerability via Host Header Injection.

Product: Forcepoint Web Security 8.5 & 8.4

Scenario and Reproduction Steps:

To reproduce this issue, I need forcepoint to handle any error/exception. Fortunately I found a website ( which has improper SSL over HTTP. That is why, without forcepoint, browser shows below error page while anyone tries to access .


FIG: Generic error without forcepoint installed

Now if any user try to access a site where forcepoint installed, forcepoint handled this exception by giving below custom page:

FIG: Custom page of forcepoint

Now if we monitor the traffic via Burp Suite. We will find the bellow request and response.


FIG: Request and Response for

Now let’s intercept the traffic while accessing and modify the Host header from to


FIG: Modified Host header with XSS payload

Whenever this is done, let’s check web interface.


FIG: Bing0000!!!! XSS

Now let’s see what is request and response of this.


FIG: Request and response with XSS payload


  • CVE-2019-6146:
  • ForcePoint KBA:

Video PoC

Leave a Reply

Your email address will not be published. Required fields are marked *

Secured By miniOrange