Page 3 of 20 results (0.010 seconds)

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1

SQL injection vulnerability in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary SQL commands via a crafted HTTP request. Vulnerabilidad de inyección SQL en la administración del servidor en Symantec Critical System Protection (SCSP) 5.2.9 anterior a MP6 y Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x anterior a 6.0 MP1 permite usuarios remotos autenticados ejecutar comandos arbitrarios SQL a través de peticiones HTTP modificadas. Symantec Data Center Security: Server Advanced (SDCS:SA) and Symantec Critical System Protection (SCSP) suffer from cross site scripting, remote SQL injection, information disclosure, and policy bypass vulnerabilities. • https://www.exploit-db.com/exploits/35915 http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html http://seclists.org/fulldisclosure/2015/Jan/91 http://www.securityfocus.com/archive/1/534527/100/0/threaded http://www.securityfocus.com/bid/72092 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 1

Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad XSS en la WebUI ajaxswing en el servidor Management Console en la administración del servidor en Symantec Critical System Protection (SCSP) 5.2.9 a través de MP6 y Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x a través 6.0 MP1 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. Symantec Data Center Security: Server Advanced (SDCS:SA) and Symantec Critical System Protection (SCSP) suffer from cross site scripting, remote SQL injection, information disclosure, and policy bypass vulnerabilities. • https://www.exploit-db.com/exploits/35915 http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html http://seclists.org/fulldisclosure/2015/Jan/91 http://www.securityfocus.com/archive/1/534527/100/0/threaded http://www.securityfocus.com/bid/72093 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 1

The ajaxswing webui in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to obtain sensitive server information via unspecified vectors. La webui ajaxswing en la administración del servidor en Symantec Critical System Protection (SCSP) 5.2.9 a través de MP6 y Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x a través de 6.0 MP1 permite a usuarios remotos autenticados obtener información del servidor sensible a través de vectores no especificados. Symantec Data Center Security: Server Advanced (SDCS:SA) and Symantec Critical System Protection (SCSP) suffer from cross site scripting, remote SQL injection, information disclosure, and policy bypass vulnerabilities. • https://www.exploit-db.com/exploits/35915 http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html http://seclists.org/fulldisclosure/2015/Jan/91 http://www.securityfocus.com/archive/1/534527/100/0/threaded http://www.securityfocus.com/bid/72094 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1

The management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows local users to bypass intended Protection Policies via unspecified vectors. La administración del servidor en Symantec Critical System Protection (SCSP) 5.2.9 a través de MP6 y Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x a través de 6.0 MP1 permite a usuarios locales evitar Políticas de Protección intencionadas a través de vectores sin especificar. Symantec Data Center Security: Server Advanced (SDCS:SA) and Symantec Critical System Protection (SCSP) suffer from cross site scripting, remote SQL injection, information disclosure, and policy bypass vulnerabilities. • https://www.exploit-db.com/exploits/35915 http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html http://seclists.org/fulldisclosure/2015/Jan/91 http://www.securityfocus.com/archive/1/534527/100/0/threaded http://www.securityfocus.com/bid/72095 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.5EPSS: 83%CPEs: 6EXPL: 5

The management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before 12.1.4023.4080, allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. La consola de gestión en Symantec Endpoint Protection Manager (SEPM) 11.0 anteriorm a 11.0.7405.1424 y 12.1 anterior a 12.1.4023.4080 y Symantec Protection Center Small Business Edition 12.x anterior a 12.1.4023.4080, permite a atacantes remotos leer archivos arbitrarios a través de datos XML conteniendo una declaración de entidad externa en conjunción con una referencia de entidad, relacionado con un problema XML External Entity (XXE). Symantec Endpoint Protection Manager suffers from a remote command execution vulnerability. Versions 11.0, 12.0, and 12.1 are affected. • https://www.exploit-db.com/exploits/31917 https://www.exploit-db.com/exploits/31853 http://www.exploit-db.com/exploits/31853 http://www.exploit-db.com/exploits/31917 http://www.securityfocus.com/bid/65466 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt h •