CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Symantec : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-3433 79 XSS 2014-06-27 2014-06-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the management console in Symantec Data Insight 3.x and 4.x before 4.5 allows remote attackers to inject arbitrary web script or HTML via an unspecified form field, related to an "HTML script injection" issue.
2 CVE-2014-3432 79 XSS 2014-06-27 2014-06-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the management console in Symantec Data Insight 3.x and 4.x before 4.5 allows remote attackers to inject arbitrary web script or HTML via an unspecified form field.
3 CVE-2014-3431 264 Bypass 2014-06-21 2014-06-23
4.3
None Local Low Single system Partial Partial Partial
Symantec PGP Desktop 10.x, and Encryption Desktop Professional 10.3.x before 10.3.2 MP2, on OS X uses world-writable permissions for temporary files, which allows local users to bypass intended restrictions on file reading, modification, creation, and permission changes via unspecified vectors.
4 CVE-2014-1652 79 XSS 2014-06-18 2014-07-17
2.9
None Local Network Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the management console in Symantec Web Gateway (SWG) before 5.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified report parameters.
5 CVE-2014-1651 89 Exec Code Sql 2014-06-18 2014-07-17
5.8
None Local Network Low Not required Partial Partial Partial
SQL injection vulnerability in clientreport.php in the management console in Symantec Web Gateway (SWG) before 5.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
6 CVE-2014-1650 89 Exec Code Sql 2014-06-18 2014-07-17
5.2
None Local Network Low Single system Partial Partial Partial
SQL injection vulnerability in user.php in the management console in Symantec Web Gateway (SWG) before 5.2.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
7 CVE-2014-1649 264 2014-05-16 2014-05-16
7.9
None Local Network Medium Not required Complete Complete Complete
The server in Symantec Workspace Streaming (SWS) before 7.5.0.749 allows remote attackers to access files and functionality by sending a crafted XMLRPC request over HTTPS.
8 CVE-2014-1648 79 XSS 2014-04-23 2014-04-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in brightmail/setting/compliance/DlpConnectFlow$view.flo in the management console in Symantec Messaging Gateway 10.x before 10.5.2 allows remote attackers to inject arbitrary web script or HTML via the displayTab parameter.
9 CVE-2014-1647 119 DoS Overflow 2014-04-23 2014-04-24
2.6
None Remote High Not required None None Partial
Symantec PGP Desktop 10.0.x through 10.2.x and Encryption Desktop Professional 10.3.x before 10.3.2 MP1 do not properly perform block-data moves, which allows remote attackers to cause a denial of service (read access violation and application crash) via a malformed certificate.
10 CVE-2014-1646 119 DoS Overflow 2014-04-23 2014-04-24
2.6
None Remote High Not required None None Partial
Symantec PGP Desktop 10.0.x through 10.2.x and Encryption Desktop Professional 10.3.x before 10.3.2 MP1 do not properly perform memory copies, which allows remote attackers to cause a denial of service (read access violation and application crash) via a malformed certificate.
11 CVE-2014-1645 89 Exec Code Sql 2014-03-28 2014-03-31
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
12 CVE-2014-1644 255 2014-03-28 2014-03-31
7.5
None Remote Low Not required Partial Partial Partial
The forgotten-password feature in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to reset arbitrary passwords by providing the e-mail address associated with a user account.
13 CVE-2014-1643 264 2014-02-06 2014-02-07
4.0
None Remote Low Single system Partial None None
The Web Email Protection component in Symantec Encryption Management Server (aka PGP Universal Server) before 3.3.2 allows remote authenticated users to read the stored outbound e-mail messages of arbitrary users via a modified URL.
14 CVE-2013-5017 Exec Code 2014-06-18 2014-07-17
7.9
None Local Network Medium Not required Complete Complete Complete
SNMPConfig.php in the management console in Symantec Web Gateway (SWG) before 5.2.1 allows remote attackers to execute arbitrary commands via unspecified vectors.
15 CVE-2013-5016 264 Bypass 2014-05-08 2014-05-08
7.6
None Remote High Not required Complete Complete Complete
Symantec Critical System Protection (SCSP) before 5.2.9, when installed on an unpatched Windows Server 2003 R2 platform, allows remote attackers to bypass policy settings via unspecified vectors.
16 CVE-2013-5015 89 2 Exec Code Sql 2014-02-14 2014-03-26
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before 12.1.4023.4080, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
17 CVE-2013-5014 2 2014-02-14 2014-03-26
7.5
None Remote Low Not required Partial Partial Partial
The management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before 12.1.4023.4080, allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
18 CVE-2013-5013 79 XSS 2014-02-10 2014-02-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.2 allow remote attackers to inject arbitrary web script or HTML via (1) vectors involving PHP scripts and (2) unspecified other vectors.
19 CVE-2013-5012 89 Exec Code Sql 2014-02-10 2014-02-11
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
20 CVE-2013-5011 22 +Priv Dir. Trav. 2014-01-10 2014-01-27
7.2
None Local Low Not required Complete Complete Complete
Unquoted Windows search path vulnerability in the client in Symantec Endpoint Protection (SEP) 11.x before 11.0.7.4 and 12.x before 12.1.2 RU2 and Endpoint Protection Small Business Edition 12.x before 12.1.2 RU2 allows local users to gain privileges via a crafted program in the %SYSTEMDRIVE% directory.
21 CVE-2013-5010 264 Bypass 2014-01-10 2014-01-27
4.6
None Local Low Not required Partial Partial Partial
The Application/Device Control (ADC) component in the client in Symantec Endpoint Protection (SEP) 11.x before 11.0.7.4 and 12.x before 12.1.2 RU2 and Endpoint Protection Small Business Edition 12.x before 12.1.2 RU2 does not properly handle custom polices, which allows local users to bypass intended policy restrictions and access files or directories via unspecified vectors.
22 CVE-2013-5009 287 +Priv 2014-01-10 2014-01-27
7.4
None Local Network Medium Single system Complete Complete Complete
The Management Console in Symantec Endpoint Protection (SEP) 11.x before 11.0.7.4 and 12.x before 12.1.2 RU2 and Endpoint Protection Small Business Edition 12.x before 12.1.2 RU2 does not properly perform authentication, which allows remote authenticated users to gain privileges by leveraging access to a limited-admin account.
23 CVE-2013-5008 200 DoS +Info 2013-10-10 2013-10-10
4.6
None Local Low Not required Partial Partial Partial
The agent and task-agent components in Symantec Management Platform 7.0 and 7.1 before 7.1 SP2 Mp1.1v7 rollup, as used in certain Altiris products, use the same registry-entry encryption key across different customers' installations, which makes it easier for local users to obtain sensitive information about package-server access, or cause a denial of service, by leveraging knowledge of this key.
24 CVE-2013-4679 119 Overflow +Priv 2013-08-05 2013-10-07
6.6
None Local Medium Single system Complete Complete Complete
Symantec Workspace Virtualization before 6.x before 6.4.1953.0, when a virtual application layer is configured, allows local users to gain privileges via an application that performs crafted interaction with the operating system.
25 CVE-2013-4678 200 +Info 2013-08-05 2013-08-09
2.7
None Local Network Low Single system Partial None None
The NDMP protocol implementation in Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 allows remote authenticated users to obtain sensitive host-version information via unspecified vectors.
26 CVE-2013-4677 264 +Info 2013-08-05 2013-08-22
4.3
None Local Low Single system Partial Partial Partial
Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 uses weak permissions (Everyone: Read and Everyone: Change) for backup data files, which allows local users to obtain sensitive information or modify the outcome of a restore via direct access to these files.
27 CVE-2013-4676 79 XSS 2013-08-05 2013-08-22
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) custom-reports generation page, (2) Storage Devices creation page, or (3) jobs creation page in the management console; or (4) a Backup Exec server-management page in the beutility console.
28 CVE-2013-4674 79 XSS 2013-07-31 2013-07-31
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Web Email Protection component in Symantec Encryption Management Server (formerly Symantec PGP Universal Server) before 3.3.0 MP2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted encrypted e-mail attachment.
29 CVE-2013-4673 20 Exec Code 2013-08-01 2013-08-22
5.8
None Local Network Low Not required Partial Partial Partial
The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 does not properly implement RADIUS authentication, which allows remote attackers to execute arbitrary code by leveraging access to the login prompt.
30 CVE-2013-4672 264 Bypass 2013-08-01 2014-01-17
7.2
None Local Network Low Multiple systems Complete Complete Complete
The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 has an incorrect sudoers file, which allows local users to bypass intended access restrictions via a command.
31 CVE-2013-4671 352 CSRF 2013-08-01 2014-01-17
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.
32 CVE-2013-4670 79 XSS 2013-08-01 2014-01-17
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
33 CVE-2013-4575 119 DoS Exec Code Overflow 2013-08-05 2013-08-22
7.9
None Local Network Medium Not required Complete Complete Complete
Heap-based buffer overflow in the utility program in the Linux agent in Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 allows remote attackers to cause a denial of service (agent crash) or possibly execute arbitrary code via unspecified vectors.
34 CVE-2013-1617 89 Exec Code Sql 2013-08-01 2014-01-17
7.4
None Local Network Medium Single system Complete Complete Complete
Multiple SQL injection vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allow remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors.
35 CVE-2013-1616 78 Exec Code 2013-08-01 2014-01-17
8.3
None Local Network Low Not required Complete Complete Complete
The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allows remote attackers to execute arbitrary commands by injecting a command into an application script.
36 CVE-2013-1615 200 +Info 2013-07-08 2013-07-08
2.9
None Local Network Medium Not required Partial None None
The management console (aka Java console) on the Symantec Security Information Manager (SSIM) appliance 4.7.x and 4.8.x before 4.8.1 allows remote attackers to obtain sensitive information via unspecified web-GUI API calls.
37 CVE-2013-1614 79 XSS 2013-07-08 2013-07-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the management console (aka Java console) on the Symantec Security Information Manager (SSIM) appliance 4.7.x and 4.8.x before 4.8.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
38 CVE-2013-1613 89 Exec Code Sql 2013-07-08 2013-07-08
4.7
None Local Network Low Multiple systems Partial Partial Partial
SQL injection vulnerability in the management console (aka Java console) on the Symantec Security Information Manager (SSIM) appliance 4.7.x and 4.8.x before 4.8.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
39 CVE-2013-1612 119 Exec Code Overflow 2013-06-19 2013-06-20
7.9
None Local Network Medium Not required Complete Complete Complete
Buffer overflow in secars.dll in the management console in Symantec Endpoint Protection Manager (SEPM) 12.1.x before 12.1.3, and Symantec Endpoint Protection Center (SPC) Small Business Edition 12.0.x, allows remote attackers to execute arbitrary code via unspecified vectors.
40 CVE-2013-1611 79 XSS 2013-05-09 2013-05-10
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in administrative-interface pages in the management console in Symantec Brightmail Gateway 9.5.x allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
41 CVE-2013-1610 +Priv 2013-08-05 2013-08-05
6.8
None Local Low Single system Complete Complete Complete
Unquoted Windows search path vulnerability in RDDService in Symantec PGP Desktop 10.0.x through 10.2.x and Symantec Encryption Desktop 10.3.0 before MP3 allows local users to gain privileges via a Trojan horse application in the %SYSTEMDRIVE% top-level directory.
42 CVE-2013-1609 +Priv 2013-03-26 2013-03-27
6.8
None Local Low Single system Complete Complete Complete
Multiple unquoted Windows search path vulnerabilities in the (1) File Collector and (2) File PlaceHolder services in Symantec Enterprise Vault (EV) for File System Archiving before 9.0.4 and 10.x before 10.0.1 allow local users to gain privileges via a Trojan horse program.
43 CVE-2013-1608 22 Dir. Trav. 2013-03-26 2013-03-26
6.7
None Local Network Low Single system Complete Partial Partial
Directory traversal vulnerability in the Management Console on the Symantec NetBackup (NBU) appliance 2.0.x allows remote attackers to read arbitrary files via unspecified vectors.
44 CVE-2012-6533 119 Overflow +Priv 2013-02-18 2013-02-20
4.4
None Local Medium Not required Partial Partial Partial
Buffer overflow in pgpwded.sys in Symantec PGP Desktop 10.x and Encryption Desktop 10.3.0 before MP1 on Windows XP and Server 2003 allows local users to gain privileges via a crafted application.
45 CVE-2012-4953 119 DoS Exec Code Overflow 2012-11-14 2013-03-11
9.3
None Remote Medium Not required Complete Complete Complete
The decomposer engine in Symantec Endpoint Protection (SEP) 11.0, Symantec Endpoint Protection Small Business Edition 12.0, Symantec AntiVirus Corporate Edition (SAVCE) 10.x, and Symantec Scan Engine (SSE) before 5.2.8 does not properly perform bounds checks of the contents of CAB archives, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted file.
46 CVE-2012-4351 189 Overflow +Priv 2013-02-18 2013-02-18
6.9
None Local Medium Not required Complete Complete Complete
Integer overflow in pgpwded.sys in Symantec PGP Desktop 10.x and Encryption Desktop 10.3.0 before MP1 allows local users to gain privileges via a crafted application.
47 CVE-2012-4350 +Priv 2012-12-18 2013-03-13
7.2
None Local Low Not required Complete Complete Complete
Multiple unquoted Windows search path vulnerabilities in the (1) Manager and (2) Agent components in Symantec Enterprise Security Manager (ESM) before 11.0 allow local users to gain privileges via unspecified vectors.
48 CVE-2012-4349 +Priv 2012-12-11 2013-10-11
7.2
None Local Low Not required Complete Complete Complete
Unquoted Windows search path vulnerability in Symantec Network Access Control (SNAC) 12.1 before RU2 allows local users to gain privileges via unspecified vectors.
49 CVE-2012-4348 20 Exec Code 2012-12-18 2013-03-13
7.2
None Local Network Low Multiple systems Complete Complete Complete
The management console in Symantec Endpoint Protection (SEP) 11.0 before RU7-MP3 and 12.1 before RU2, and Symantec Endpoint Protection Small Business Edition 12.x before 12.1 RU2, does not properly validate input for PHP scripts, which allows remote authenticated users to execute arbitrary code via unspecified vectors.
50 CVE-2012-4347 22 Dir. Trav. 2012-12-05 2013-10-11
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9.5.x allow remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) logFile parameter in a logs action to brightmail/export or (2) localBackupFileSelection parameter in an APPLIANCE restoreSource action to brightmail/admin/restore/download.do.
Total number of vulnerabilities : 369   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.