cnvd - cnvd-2015-00461

cnvd-2015-00461

Vulnerability from cnvd

Title: 多个Symantec产品跨站脚本漏洞

Description:

Symantec Critical System Protection是一套可防御零时差威胁、强化系统和协助维持遵循状态的入侵侦测软件。Symantec Data Center Security: Server Advanced是赛门铁克推出的系统防护软件。

多个Symantec产品存在跨站脚本漏洞，攻击者可能利用这些漏洞在受影响的不知情用户浏览器的上下文中执行任意脚本代码。可能窃取基于cookie的认证证书，劫持浏览器会话，并启动其他攻击。

Severity: 中

Patch Name: 多个Symantec产品跨站脚本漏洞的补丁

Patch Description:

Symantec Critical System Protection是一套可防御零时差威胁、强化系统和协助维持遵循状态的入侵侦测软件。Symantec Data Center Security: Server Advanced是赛门铁克推出的系统防护软件。多个Symantec产品存在跨站脚本漏洞，攻击者可能利用这些漏洞在受影响的不知情用户浏览器的上下文中执行任意脚本代码。可能窃取基于cookie的认证证书，劫持浏览器会话，并启动其他攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可联系供应商获得补丁信息： http://www.symantec.com/index.jsp

Reference: http://www.securityfocus.com/bid/72093

Impacted products

Name
['Symantec Critical System Protection 5.2.9 MP6', 'Symantec Data Center Security: Server Advanced 6.0.1']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "72093"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2014-9224"
    }
  },
  "description": "Symantec Critical System Protection\u662f\u4e00\u5957\u53ef\u9632\u5fa1\u96f6\u65f6\u5dee\u5a01\u80c1\u3001\u5f3a\u5316\u7cfb\u7edf\u548c\u534f\u52a9\u7ef4\u6301\u9075\u5faa\u72b6\u6001\u7684\u5165\u4fb5\u4fa6\u6d4b\u8f6f\u4ef6\u3002Symantec Data Center Security: Server Advanced\u662f\u8d5b\u95e8\u94c1\u514b\u63a8\u51fa\u7684\u7cfb\u7edf\u9632\u62a4\u8f6f\u4ef6\u3002\r\n\r\n\u591a\u4e2aSymantec\u4ea7\u54c1\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u8fd9\u4e9b\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u7684\u4e0d\u77e5\u60c5\u7528\u6237\u6d4f\u89c8\u5668\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002\u53ef\u80fd\u7a83\u53d6\u57fa\u4e8ecookie\u7684\u8ba4\u8bc1\u8bc1\u4e66\uff0c\u52ab\u6301\u6d4f\u89c8\u5668\u4f1a\u8bdd\uff0c\u5e76\u542f\u52a8\u5176\u4ed6\u653b\u51fb\u3002",
  "discovererName": "Stefan Viehbock",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://www.symantec.com/index.jsp",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-00461",
  "openTime": "2015-01-22",
  "patchDescription": "Symantec Critical System Protection\u662f\u4e00\u5957\u53ef\u9632\u5fa1\u96f6\u65f6\u5dee\u5a01\u80c1\u3001\u5f3a\u5316\u7cfb\u7edf\u548c\u534f\u52a9\u7ef4\u6301\u9075\u5faa\u72b6\u6001\u7684\u5165\u4fb5\u4fa6\u6d4b\u8f6f\u4ef6\u3002Symantec Data Center Security: Server Advanced\u662f\u8d5b\u95e8\u94c1\u514b\u63a8\u51fa\u7684\u7cfb\u7edf\u9632\u62a4\u8f6f\u4ef6\u3002\r\n\u591a\u4e2aSymantec\u4ea7\u54c1\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u8fd9\u4e9b\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u7684\u4e0d\u77e5\u60c5\u7528\u6237\u6d4f\u89c8\u5668\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002\u53ef\u80fd\u7a83\u53d6\u57fa\u4e8ecookie\u7684\u8ba4\u8bc1\u8bc1\u4e66\uff0c\u52ab\u6301\u6d4f\u89c8\u5668\u4f1a\u8bdd\uff0c\u5e76\u542f\u52a8\u5176\u4ed6\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u4e2aSymantec\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Symantec Critical System Protection 5.2.9 MP6",
      "Symantec Data Center Security: Server Advanced 6.0.1"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/72093",
  "serverity": "\u4e2d",
  "submitTime": "2015-01-20",
  "title": "\u591a\u4e2aSymantec\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2014-9224 (GCVE-0-2014-9224)

Vulnerability from cvelistv5

Published

2015-01-21 11:00

Modified

2024-08-06 13:40

Severity ?

CWE

Summary

Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

References

▼	URL	Tags
	http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00	x_refsource_CONFIRM
	http://www.securityfocus.com/archive/1/534527/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
	http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html	x_refsource_MISC
	http://seclists.org/fulldisclosure/2015/Jan/91	mailing-list, x_refsource_FULLDISC
	http://www.securityfocus.com/bid/72093	vdb-entry, x_refsource_BID

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T13:40:24.641Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20150119_00"
          },
          {
            "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/534527/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html"
          },
          {
            "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2015/Jan/91"
          },
          {
            "name": "72093",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/72093"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-01-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5",
        "shortName": "symantec"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20150119_00"
        },
        {
          "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/534527/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html"
        },
        {
          "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2015/Jan/91"
        },
        {
          "name": "72093",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/72093"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@symantec.com",
          "ID": "CVE-2014-9224",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20150119_00",
              "refsource": "CONFIRM",
              "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20150119_00"
            },
            {
              "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/534527/100/0/threaded"
            },
            {
              "name": "http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html"
            },
            {
              "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2015/Jan/91"
            },
            {
              "name": "72093",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/72093"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5",
    "assignerShortName": "symantec",
    "cveId": "CVE-2014-9224",
    "datePublished": "2015-01-21T11:00:00",
    "dateReserved": "2014-12-03T00:00:00",
    "dateUpdated": "2024-08-06T13:40:24.641Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted