CVE-2011-1524 : Cross-site scripting (XSS) vulnerability in the management login GUI page in Sym

Cross-site scripting (XSS) vulnerability in the management login GUI page in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to inject arbitrary web script or HTML via the username field, as demonstrated by injecting an IFRAME element into the event log, a different vulnerability than CVE-2011-0545.

Published 2011-03-28 18:55:01

Updated 2018-10-09 19:31:08

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2011-1524

Symantec » Liveupdate Administrator
Versions up to, including, (<=) 2.2.2.9
cpe:2.3:a:symantec:liveupdate_administrator:*:*:*:*:*:*:*:*
Matching versions
Symantec » Liveupdate Administrator » Version: 2.2.2
cpe:2.3:a:symantec:liveupdate_administrator:2.2.2:*:*:*:*:*:*:*
Matching versions
Symantec » Liveupdate Administrator » Version: 2.2.1
cpe:2.3:a:symantec:liveupdate_administrator:2.2.1:*:*:*:*:*:*:*
Matching versions
Symantec » Liveupdate Administrator » Version: 2.1.3
cpe:2.3:a:symantec:liveupdate_administrator:2.1.3:*:*:*:*:*:*:*
Matching versions
Symantec » Liveupdate Administrator » Version: 2.1.2
cpe:2.3:a:symantec:liveupdate_administrator:2.1.2:*:*:*:*:*:*:*
Matching versions
Symantec » Liveupdate Administrator » Version: 2.1.0
cpe:2.3:a:symantec:liveupdate_administrator:2.1.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2011-1524

EPSS FAQ

16.63%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2011-1524

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2011-1524

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2011-1524

https://exchange.xforce.ibmcloud.com/vulnerabilities/66213

Symantec LiveUpdate Administrator GUI cross-site request forgery CVE-2011-0545 Vulnerability Report

CVEs referencing this url
http://securitytracker.com/id?1025242

Symantec LiveUpdate Administrator Input Validation Flaw Permits Cross-Site Request Forgery Attacks - SecurityTracker
Exploit

CVEs referencing this url
http://www.exploit-db.com/exploits/17026

Symantec LiveUpdate Administrator Management GUI - HTML Injection - Windows webapps Exploit
Exploit

CVEs referencing this url
http://www.securityfocus.com/bid/46856

Symantec LiveUpdate Administrator Management GUI HTML Injection Vulnerability
Exploit
http://www.securityfocus.com/archive/1/517109/100/0/threaded

SecurityFocus

CVEs referencing this url
http://sotiriu.de/adv/NSOADV-2011-001.txt

Exploit

CVEs referencing this url
http://securityreason.com/securityalert/8166

Symantec LiveUpdate Administrator CSRF vulnerability - CXSecurity.com
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110321_00

Symantec LiveUpdate Administrator Cross-Site Request Forgery

CVEs referencing this url
http://www.vupen.com/english/advisories/2011/0727

Webmail | OVH- OVH
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2011-1524

Products affected by CVE-2011-1524

Exploit prediction scoring system (EPSS) score for CVE-2011-1524

CVSS scores for CVE-2011-1524

CWE ids for CVE-2011-1524

References for CVE-2011-1524