CVSS: 4.3EPSS: 1%CPEs: 5EXPL: 0CVE-2011-0550
https://notcve.org/view.php?id=CVE-2011-0550
Multiple cross-site scripting (XSS) vulnerabilities in the Web Interface in the Endpoint Protection Manager in Symantec Endpoint Protection (SEP) 11.0.600x through 11.0.6300 allow remote attackers to inject arbitrary web script or HTML via (1) the token parameter to portal/Help.jsp or (2) the URI in a console/apps/sepm request. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS en el Web Interface en el Endpoint Protection Manager en Symantec Endpoint Protection (SEP) v11.0.600x hasta v11.0.6300 permite a atacantes remotos inyectar código script de su elección o HTML a través del (1) token de parámetro portal/Help.jsp o (2) la URI en una petición console/apps/sepm. • http://secunia.com/advisories/43662 http://securitytracker.com/id?1025919 http://www.osvdb.org/74465 http://www.osvdb.org/74466 http://www.securityfocus.com/bid/48231 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00 https://exchange.xforce.ibmcloud.com/vulnerabilities/69136 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2011-0551
https://notcve.org/view.php?id=CVE-2011-0551
Cross-site request forgery (CSRF) vulnerability in the Web Interface in the Endpoint Protection Manager in Symantec Endpoint Protection (SEP) 11.0.600x through 11.0.6300 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts. Vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en Web Interface en el Endpoint Protection Manager en Symantec Endpoint Protection (SEP) v11.0.600x hasta v11.0.6300, permite a atacantes remotos secuestrar la autenticación de los administradores para las peticiones que crean cuentas administrativas. • http://secunia.com/advisories/43662 http://securitytracker.com/id?1025919 http://www.osvdb.org/74467 http://www.securityfocus.com/bid/49101 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.3EPSS: 2%CPEs: 24EXPL: 0CVE-2011-0548
https://notcve.org/view.php?id=CVE-2011-0548
Buffer overflow in the Lotus Freelance Graphics PRZ file viewer in Autonomy KeyView, as used in Symantec Mail Security (SMS) 6.x through 8.x, Symantec Brightmail and Messaging Gateway before 9.5.1, and Symantec Data Loss Prevention (DLP) before 10.5.3 and 11.x before 11.1, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted .prz file. NOTE: this may overlap CVE-2011-1217. Desbordamiento de búfer en Lotus Freelance Graphics PRZ file viewer en Auntonomy KeyView, tal como se utiliza en Symantec Mail Security (SMS) v6.x hasta v8.x, Symantec Brightmail y Messaging Gateway antes de v9.5.1, y Symantec Data Loss Prevention (DLP) antes de v10.5.3 y v11.x antes de v11,1, permite a atacantes remotos provocar una denegación de servicio (caída) o ejecutar código de su elección mediante un fichero .prz manipulado. Nota: Esta vulnerabilidad puede solaparse con CVE-2011-1217 • http://secunia.com/advisories/44779 http://securitytracker.com/id?1025594 http://securitytracker.com/id?1025595 http://securitytracker.com/id?1025596 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110531_00 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 2%CPEs: 9EXPL: 0CVE-2011-0549 – Symantec Web Gateway forget.php SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2011-0549
SQL injection vulnerability in forget.php in the management GUI in Symantec Web Gateway 4.5.x allows remote attackers to execute arbitrary SQL commands via the username parameter. Vulnerabilidad de inyección SQL en forget.php en la administración de Symantec Web Gateway v4.5.x, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro username. This vulnerability allows remote attackers to inject arbitrary SQL on vulnerable installations of the Symantec Web Gateway appliance. Authentication is not required to exploit this vulnerability. The specific flaw exists within the username parameter of POST requests to the forget.php script. The parameter is not sanitized and a remote attacker can abuse this to inject arbitrary SQL into the underlying database. • http://secunia.com/advisories/45146 http://securitytracker.com/id?1025753 http://www.securityfocus.com/bid/48318 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110707_00 http://www.zerodayinitiative.com/advisories/ZDI-11-233 https://exchange.xforce.ibmcloud.com/vulnerabilities/68428 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 1CVE-2011-0546 – Symantec Backup Exec 12.5 - Man In The Middle
https://notcve.org/view.php?id=CVE-2011-0546
Symantec Backup Exec 11.0, 12.0, 12.5, 13.0, and 13.0 R2 does not validate identity information sent between the media server and the remote agent, which allows man-in-the-middle attackers to execute NDMP commands via unspecified vectors. Symantec Backup Exec v11.0, v12.0, v12.5, v13.0 y v13.0R2 no valida la información de identidad enviada entre el servidor media y el agente remoto, que permite a los atacantes de hombre-en-medio (man in the middle) para ejecutar comandos NDMP a través de de vectores no especificados. • https://www.exploit-db.com/exploits/17517 http://marc.info/?l=bugtraq&m=131489365508507&w=2 http://secunia.com/advisories/44698 http://securityreason.com/securityalert/8300 http://www.securityfocus.com/bid/47824 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110526_00 • CWE-20: Improper Input Validation •