You are here

V-192: Symantec Security Information Manager Input Validation Flaws Permit Cross-Site Scripting, SQL Injection, and Information Disclosure Attacks

July 4, 2013 - 6:00am

Addthis

PROBLEM:

Several vulnerabilities were reported in Symantec Security Information Manager

PLATFORM:

Symantec Security Information Manager Appliance Version 4.7.x and 4.8.0

ABSTRACT:

Symantec was notified of multiple security issues impacting the SSIM management console

REFERENCE LINKS:

SecurityTracker Alert ID:  1028727
Symantec Security Advisory SYM13-006  

CVE-2013-1613
CVE-2013-1614
CVE-2013-1615

IMPACT ASSESSMENT:

Medium

DISCUSSION:

The console does not properly filter HTML code from user-supplied input before displaying the input

A remote authenticated user can supply a specially crafted parameter value to execute SQL commands on the underlying database

A remote user can access webGUI APIs to obtain potentially sensitive information

IMPACT:

Successful exploitation could result in potential cookie stealing, session hijacking, unauthorized disclosure of sensitive application information and potential for unauthorized database manipulation.

SOLUTION:

Vendor recommends updating to version 4.8.1

 

Addthis