6 results (0.015 seconds)

CVSS: 7.5EPSS: 4%CPEs: 20EXPL: 0

SQL injection vulnerability in the management console in Symantec IM Manager before 8.4.18 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en la consola de administración de Symantec IM Manager anterior a v8.4.18 permite a atacantes remotos ejecutar comandos SQL a través de vectores no especificados. • http://secunia.com/advisories/43157 http://securitytracker.com/id?1026130 http://www.securityfocus.com/bid/49738 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.0EPSS: 92%CPEs: 20EXPL: 0

The management console in Symantec IM Manager before 8.4.18 allows remote attackers to execute arbitrary code via unspecified vectors, related to a "code injection issue." La consola de administración de Symantec IM Manager anterior a v8.4.18 permite a atacantes remotos ejecutar código arbitrario a través de vectores no especificados, en relación con un "problema de inyección de código." This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec IM Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Symantec IM Manager web interface exposed by default on TCP port 80. The code in the file '\Program Files\Symantec\IMManager\IMLogWeb\rdprocess.aspx' and in underlying binary objects does not validate or sanitize the rdProcess variable when parsing requests. • http://secunia.com/advisories/43157 http://securitytracker.com/id?1026130 http://www.securityfocus.com/bid/49742 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 4.3EPSS: 15%CPEs: 20EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in the management console in Symantec IM Manager before 8.4.18 allow remote attackers to inject arbitrary web script or HTML via the (1) refreshRateSetting parameter to IMManager/Admin/IMAdminSystemDashboard.asp, the (2) nav or (3) menuitem parameter to IMManager/Admin/IMAdminTOC_simple.asp, or the (4) action parameter to IMManager/Admin/IMAdminEdituser.asp. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la consola de gestión de Symantec IM Manager anteriores a v8.4.18 permite a atacantes remotos inyectar script de su elección o HTML a través de los parámetros (1) refreshRateSetting sobre IMManager/Admin/IMAdminSystemDashboard.asp, (2) nav o (3) menuitem sobre IMManager/Admin IMAdminTOC_simple.asp, o (4) action sobre IMManager/Admin/IMAdminEdituser.asp. • http://secunia.com/advisories/43157 http://securitytracker.com/id?1026130 http://www.securityfocus.com/bid/49739 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.5EPSS: 1%CPEs: 19EXPL: 0

Eval injection vulnerability in IMAdminSchedTask.asp in the administrative interface for Symantec IM Manager 8.4.16 and earlier allows remote attackers to execute arbitrary code via unspecified parameters to the ScheduleTask method. Vulnerabilidad de inyección mediante eval en IMAdminSchedTask.asp en la interfaz administrativa para Symantec IM Manager v8.4.16 y anteriores, permite a atacantes remotos ejecutar código de su elección a través de parámetros no especificados en el método ScheduleTask. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec IM Manager. Authentication is required to exploit this vulnerability in that a logged in user must be coerced into visiting a malicious link. The specific flaw exists within the ScheduleTask method exposed by the IMAdminSchedTask.asp page hosted on the web interface. This function does not properly sanitize user input from a POST variable before passing it to an eval call. • http://osvdb.org/70755 http://secunia.com/advisories/43143 http://www.securityfocus.com/archive/1/516103/100/0/threaded http://www.securityfocus.com/bid/45946 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110131_00 http://www.vupen.com/english/advisories/2011/0259 http://www.zerodayinitiative.com/advisories/ZDI-11-037 https://exchange.xforce.ibmcloud.com/vulnerabilities/65040 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 10.0EPSS: 96%CPEs: 18EXPL: 0

Multiple SQL injection vulnerabilities in the Administrative Interface in the IIS extension in Symantec IM Manager before 8.4.16 allow remote attackers to execute arbitrary SQL commands via (1) the rdReport parameter to rdpageimlogic.aspx, related to the sGetDefinition function in rdServer.dll, and SQL statements contained within a certain report file; (2) unspecified parameters in a DetailReportGroup (aka DetailReportGroup.lgx) action to rdpageimlogic.aspx; the (3) selclause, (4) whereTrendTimeClause, (5) TrendTypeForReport, (6) whereProtocolClause, or (7) groupClause parameter in a SummaryReportGroup (aka SummaryReportGroup.lgx) action to rdpageimlogic.aspx; the (8) loginTimeStamp, (9) dbo, (10) dateDiffParam, or (11) whereClause parameter in a LoggedInUsers (aka LoggedInUSers.lgx) action to (a) rdpageimlogic.aspx or (b) rdPage.aspx; the (12) selclause, (13) whereTrendTimeClause, (14) TrendTypeForReport, (15) whereProtocolClause, or (16) groupClause parameter to rdpageimlogic.aspx; (17) the groupList parameter to IMAdminReportTrendFormRun.asp; or (18) the email parameter to IMAdminScheduleReport.asp. Múltiples vulnerabilidades de inyección SQL en la Interfaz Administrativa en la extensión IIS en IM Manager de Symantec anterior a versión 8.4.16, permiten a los atacantes remotos ejecutar comandos SQL arbitrarios por medio de (1) el parámetro rdReport en el archivo rdpageimlogic.aspx, relacionado con la función sGetDefinition en la biblioteca rdServer.dll, y declaraciones SQL contenidas en un determinado archivo de informe; (2) parámetros no especificados en una acción DetailReportGroup (también se conoce como DetailReportGroup.lgx) en el archivo rdpageimlogic.aspx; el parámetro (3) selclause, (4) whereTrendTimeClause, (5) TrendTypeForReport, (6) whereProtocolClause o (7) groupClause en una acción SummaryReportGroup (también se conoce como SummaryReportGroup.lgx) en el archivo rdpageimlogic.aspx; el parámetro (8) loginTimeStamp, (9) dbo, (10) dateDiffParam o (11) whereClause en una acción LoggedInUsers (también se conoce como LoggedInUSers.lgx) en el archivo (a) rdpageimlogic.aspx o (b) rdPage.aspx; el parámetro (12) selclause, (13) whereTrendTimeClause, (14) TrendTypeForReport, (15) whereProtocolClause, o (16) groupClause en el archivo rdpageimlogic.aspx; (17) el parámetro groupList en el archivo IMAdminReportTrendFormRun.asp; o (18) parámetro email en el archivo IMAdminScheduleReport.asp. This vulnerability allows remote attackers to inject arbitrary SQL into the backend database on vulnerable installations of Symantec IM Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the IM Manager interface exposed by the web server which listens by default on TCP port 80. The rdpageimlogic.aspx file does not validate the rdReport variable when parsing requests. • http://osvdb.org/68901 http://osvdb.org/68902 http://osvdb.org/68903 http://secunia.com/advisories/41959 http://www.securityfocus.com/bid/44299 http://www.securitytracker.com/id?1024648 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101027_01 http://www.vupen.com/english/advisories/2010/2789 http://www.zerodayinitiative.com/advisories/ZDI-10-220 http://www.zerodayinitiative.com/advisories/ZDI-10-221 ht • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •