Two vulnerabilities were reported in Symantec Endpoint Protection Manager. A remote user can conduct cross-site scripting attacks. A remote user can conduct cross-site request forgery attacks.
Version(s): 11.0 RU6(11.0.600x), 11.0 RU6-MP1(11.0.6100), 11.0 RU6-MP2(11.0.6200), 11.0 RU6-MP3(11.0.6300)
Symantec Endpoint Protection Manager Input Validation Hole Permits Cross-Site Scripting and Cross-Site Request Forgery Attacks.
A remote user can create specially crafted Flash content that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Symantec Endpoint Protection Manager software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor has issued a fix Symantec Support (SEP 11 RU7).