CVE-2014-1644
https://notcve.org/view.php?id=CVE-2014-1644
The forgotten-password feature in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to reset arbitrary passwords by providing the e-mail address associated with a user account. La funcionalidad forgotten-password en forcepasswd.do en la GUI de gestión en Symantec LiveUpdate Administrator (LUA) 2.x anterior a 2.3.2.110 permite a atacantes remotos restablecer contraseñas arbitrarias proporcionando la dirección de email asociada con una cuenta de usuario. • http://archives.neohapsis.com/archives/bugtraq/2014-03/0172.html http://www.securityfocus.com/bid/66399 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140327_00 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140328-0_Symantec_LiveUpdate_Administrator_Multiple_vulnerabilities_wo_poc_v10.txt • CWE-255: Credentials Management Errors •
CVE-2014-1645
https://notcve.org/view.php?id=CVE-2014-1645
SQL injection vulnerability in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en forcepasswd.do en la GUI de gestión en Symantec LiveUpdate Administrator (LUA) 2.x anterior a 2.3.2.110 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://archives.neohapsis.com/archives/bugtraq/2014-03/0172.html http://www.securityfocus.com/bid/66400 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140327_00 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140328-0_Symantec_LiveUpdate_Administrator_Multiple_vulnerabilities_wo_poc_v10.txt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2012-0304
https://notcve.org/view.php?id=CVE-2012-0304
Symantec LiveUpdate Administrator before 2.3.1 uses weak permissions (Everyone: Full Control) for the installation directory, which allows local users to gain privileges via a Trojan horse file. Symantec LiveUpdate Administrator antes de v2.3.1 utiliza permisos débiles (Todos: Control total) para el directorio de instalación, lo que permite a usuarios locales conseguir privilegios a través de un archivo de caballo de Troya. • http://www.nessus.org/plugins/index.php?view=single&id=59193 http://www.securityfocus.com/bid/53903 http://www.securitytracker.com/id?1027182 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120615_00 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2011-1524 – Symantec LiveUpdate Administrator Management GUI - HTML Injection
https://notcve.org/view.php?id=CVE-2011-1524
Cross-site scripting (XSS) vulnerability in the management login GUI page in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to inject arbitrary web script or HTML via the username field, as demonstrated by injecting an IFRAME element into the event log, a different vulnerability than CVE-2011-0545. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el inicio de sesión de GUI en Symantec LiveUpdate Administrator (LUA) en versiones anteriores a v2.3 , permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de la inyección de un IFRAME en el log de eventos. Está vulnerabilidad diferente de CVE-2011-0545. • https://www.exploit-db.com/exploits/17026 http://securityreason.com/securityalert/8166 http://securitytracker.com/id?1025242 http://sotiriu.de/adv/NSOADV-2011-001.txt http://www.exploit-db.com/exploits/17026 http://www.securityfocus.com/archive/1/517109/100/0/threaded http://www.securityfocus.com/bid/46856 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110321_00 http://www.vupen.com/english/advisories/20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-0545 – Symantec LiveUpdate Administrator Management GUI - HTML Injection
https://notcve.org/view.php?id=CVE-2011-0545
Cross-site request forgery (CSRF) vulnerability in adduser.do in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts, and possibly have unspecified other impact, via the userRole parameter. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en adduser.do de Symantec LiveUpdate Administrator (LUA) en versiones anteriores a v2.3, permite a atacantes remotos secuestrar la autenticación de los administradores y posiblemente algún otro impacto no especificado mediante el parámetro userRole . • https://www.exploit-db.com/exploits/17026 http://secunia.com/advisories/43820 http://securityreason.com/securityalert/8160 http://securitytracker.com/id?1025242 http://sotiriu.de/adv/NSOADV-2011-001.txt http://www.exploit-db.com/exploits/17026 http://www.osvdb.org/71261 http://www.securityfocus.com/archive/1/517109/100/0/threaded http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110321_00 http://www. • CWE-352: Cross-Site Request Forgery (CSRF) •