SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Symantec Endpoint Protection Vendors:   Symantec
Symantec Endpoint Protection Manager Bugs Let Remote Users Obtain Potentially Sensitive Information and Lets Local Users Inject SQL Commands
SecurityTracker Alert ID:  1029768
SecurityTracker URL:  http://securitytracker.com/id/1029768
CVE Reference:   CVE-2013-5014, CVE-2013-5015   (Links to External Site)
Date:  Feb 17 2014
Impact:   Disclosure of system information, Disclosure of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 11.0, 12.0, 12.1
Description:   A vulnerability was reported in Symantec Endpoint Protection Manager. A local user can inject SQL commands. A remote user can obtain potentially sensitive information.

A remote user can supply specially crafted XML data to the management console on TCP port 9090 (HTTP) and port 8443(HTTPS) to access potentially sensitive files and functions on the target system [CVE-2013-5014].

The management console does not properly validate local user-supplied input. A local user can supply a specially crafted parameter value to execute SQL commands on the underlying database [CVE-2013-5015].

Stefan Viehbock and Johannes Greil from the SEC Consult Vulnerability Lab reported these vulnerabilities.

Impact:   A local user can execute SQL commands on the underlying database.

A remote user can obtain potentially sensitive information.

Solution:   The vendor has issued a fix (SEPM 11.0 RU7-MP4a (11.0.7405.1424), 12.1 RU4a SBE (12.1.4023.4080), SEPM 12.1 RU4a (12.1.4023.4080)).

The vendor's advisory is available at:

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00

Vendor URL:  www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC