CVSS: 7.5EPSS: 4%CPEs: 20EXPL: 0CVE-2011-0553
https://notcve.org/view.php?id=CVE-2011-0553
SQL injection vulnerability in the management console in Symantec IM Manager before 8.4.18 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en la consola de administración de Symantec IM Manager anterior a v8.4.18 permite a atacantes remotos ejecutar comandos SQL a través de vectores no especificados. • http://secunia.com/advisories/43157 http://securitytracker.com/id?1026130 http://www.securityfocus.com/bid/49738 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 92%CPEs: 20EXPL: 0CVE-2011-0554 – Symantec IM Manager ProcessAction Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2011-0554
The management console in Symantec IM Manager before 8.4.18 allows remote attackers to execute arbitrary code via unspecified vectors, related to a "code injection issue." La consola de administración de Symantec IM Manager anterior a v8.4.18 permite a atacantes remotos ejecutar código arbitrario a través de vectores no especificados, en relación con un "problema de inyección de código." This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec IM Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Symantec IM Manager web interface exposed by default on TCP port 80. The code in the file '\Program Files\Symantec\IMManager\IMLogWeb\rdprocess.aspx' and in underlying binary objects does not validate or sanitize the rdProcess variable when parsing requests. • http://secunia.com/advisories/43157 http://securitytracker.com/id?1026130 http://www.securityfocus.com/bid/49742 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 15%CPEs: 20EXPL: 0CVE-2011-0552
https://notcve.org/view.php?id=CVE-2011-0552
Multiple cross-site scripting (XSS) vulnerabilities in the management console in Symantec IM Manager before 8.4.18 allow remote attackers to inject arbitrary web script or HTML via the (1) refreshRateSetting parameter to IMManager/Admin/IMAdminSystemDashboard.asp, the (2) nav or (3) menuitem parameter to IMManager/Admin/IMAdminTOC_simple.asp, or the (4) action parameter to IMManager/Admin/IMAdminEdituser.asp. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la consola de gestión de Symantec IM Manager anteriores a v8.4.18 permite a atacantes remotos inyectar script de su elección o HTML a través de los parámetros (1) refreshRateSetting sobre IMManager/Admin/IMAdminSystemDashboard.asp, (2) nav o (3) menuitem sobre IMManager/Admin IMAdminTOC_simple.asp, o (4) action sobre IMManager/Admin/IMAdminEdituser.asp. • http://secunia.com/advisories/43157 http://securitytracker.com/id?1026130 http://www.securityfocus.com/bid/49739 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110929_00 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 1%CPEs: 19EXPL: 0CVE-2010-3719 – Symantec IM Manager Administrative Interface IMAdminSchedTask.asp Eval Code Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-3719
Eval injection vulnerability in IMAdminSchedTask.asp in the administrative interface for Symantec IM Manager 8.4.16 and earlier allows remote attackers to execute arbitrary code via unspecified parameters to the ScheduleTask method. Vulnerabilidad de inyección mediante eval en IMAdminSchedTask.asp en la interfaz administrativa para Symantec IM Manager v8.4.16 y anteriores, permite a atacantes remotos ejecutar código de su elección a través de parámetros no especificados en el método ScheduleTask. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec IM Manager. Authentication is required to exploit this vulnerability in that a logged in user must be coerced into visiting a malicious link. The specific flaw exists within the ScheduleTask method exposed by the IMAdminSchedTask.asp page hosted on the web interface. This function does not properly sanitize user input from a POST variable before passing it to an eval call. • http://osvdb.org/70755 http://secunia.com/advisories/43143 http://www.securityfocus.com/archive/1/516103/100/0/threaded http://www.securityfocus.com/bid/45946 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110131_00 http://www.vupen.com/english/advisories/2011/0259 http://www.zerodayinitiative.com/advisories/ZDI-11-037 https://exchange.xforce.ibmcloud.com/vulnerabilities/65040 • CWE-94: Improper Control of Generation of Code ('Code Injection') •