Vulnerability Name:

CVE-2011-0550 (CCN-69136)

Assigned:2011-08-10
Published:2011-08-10
Updated:2017-08-17
Summary:Multiple cross-site scripting (XSS) vulnerabilities in the Web Interface in the Endpoint Protection Manager in Symantec Endpoint Protection (SEP) 11.0.600x through 11.0.6300 allow remote attackers to inject arbitrary web script or HTML via (1) the token parameter to portal/Help.jsp or (2) the URI in a console/apps/sepm request.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2011-0550

Source: CCN
Type: SA43662
Symantec Endpoint Protection Manager Cross-Site Scripting and Request Forgery

Source: SECUNIA
Type: Vendor Advisory
43662

Source: SECTRACK
Type: UNKNOWN
1025919

Source: OSVDB
Type: UNKNOWN
74465

Source: OSVDB
Type: UNKNOWN
74466

Source: CCN
Type: OSVDB ID: 74465
Symantec Endpoint Protection Manager /console/apps/sepm URI XSS

Source: CCN
Type: OSVDB ID: 74466
Symantec Endpoint Protection Manager portal/Help.jsp token Parameter XSS

Source: BID
Type: UNKNOWN
48231

Source: CCN
Type: BID-48231
Symantec Endpoint Protection CVE-2011-0550 Cross Site Scripting Vulnerability

Source: CCN
Type: Symantec Web site
Symantec Endpoint Protection Manager Cross-Site Request Forgery and Cross-Site Scripting

Source: CONFIRM
Type: UNKNOWN
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00

Source: XF
Type: UNKNOWN
symantec-endpoint-sepm-xss(69136)

Source: XF
Type: UNKNOWN
symantec-endpoint-sepm-xss(69136)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:symantec:endpoint_protection:11.0.6000:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:endpoint_protection:11.0.6100:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:endpoint_protection:11.0.6200:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:endpoint_protection:11.0.6200.754:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:endpoint_protection:11.0.6300:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:symantec:endpoint_protection:11.0:ru6mp1:*:*:*:*:*:*
  • OR cpe:/a:symantec:endpoint_protection:11.0:ru6mp2:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    symantec endpoint protection 11.0.6000
    symantec endpoint protection 11.0.6100
    symantec endpoint protection 11.0.6200
    symantec endpoint protection 11.0.6200.754
    symantec endpoint protection 11.0.6300
    symantec endpoint protection 11.0 ru6mp1
    symantec endpoint protection 11.0 ru6mp2