CVE-2021-4088 – Blind SQL injection in DLP ePO extension
https://notcve.org/view.php?id=CVE-2021-4088
SQL injection vulnerability in Data Loss Protection (DLP) ePO extension 11.8.x prior to 11.8.100, 11.7.x prior to 11.7.101, and 11.6.401 allows a remote authenticated attacker to inject unfiltered SQL into the DLP part of the ePO database. This could lead to remote code execution on the ePO server with privilege escalation. Una vulnerabilidad de inyección SQL en la extensión de ePO de Data Loss Protection (DLP) versiones 11.8.x anteriores a 11.8.100, versiones 11.7.x anteriores a 11.7.101 y versiones 11.6.401, permite a un atacante remoto autenticado inyectar SQL sin filtrar en la parte de DLP de la base de datos de ePO. Esto podría conllevar a una ejecución de código remota en el servidor de ePO con escalada de privilegios • https://kc.mcafee.com/corporate/index?page=content&id=SB10376 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2015-1485
https://notcve.org/view.php?id=CVE-2015-1485
Cross-site request forgery (CSRF) vulnerability in the administration console in the Enforce Server in Symantec Data Loss Prevention (DLP) before 12.5.2 allows remote attackers to hijack the authentication of administrators. Vulnerabilidad de CSRF en la consola de administración en Enforce Server en Symantec Data Loss Prevention (DLP) anterior a 12.5.2 permite a atacantes remotos secuestrar la autenticación de administradores. • http://www.securityfocus.com/bid/75289 http://www.securitytracker.com/id/1032710 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150622_00 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-9230
https://notcve.org/view.php?id=CVE-2014-9230
Cross-site scripting (XSS) vulnerability in the administration console in the Enforce Server in Symantec Data Loss Prevention (DLP) before 12.5.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en la consola de administración en Enforce Server en Symantec Data Loss Prevention (DLP) anterior a 12.5.2 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de vectores no especificados. • http://www.securityfocus.com/bid/75288 http://www.securitytracker.com/id/1032710 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150622_00 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •