CVE-2014-9229
medium
CVSS v3
—
CVSS v2
6.5
VIR risk
6.5
Description
Multiple SQL injection vulnerabilities in interface PHP scripts in the Manager component in Symantec Endpoint Protection (SEP) before 12.1.6 allow remote authenticated users to execute arbitrary SQL commands by leveraging the Limited Administrator role.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secure@symantec.com — http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150617_00
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| symantec | endpoint_protection | {"endIncluding":"12.1.5"} | |
References
- http://www.securityfocus.com/bid/75204
- http://www.securitytracker.com/id/1032616
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150617_00
- http://www.securityfocus.com/bid/75204
- http://www.securitytracker.com/id/1032616
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150617_00
CWEs
CWE-89
Verify integrity in audit chain (admin only). AS-IS.