Vulnerability CVE-2013-5012

Vulnerability Name:

CVE-2013-5012 (CCN-91010)

Assigned:

2013-07-29

Published:

2014-02-10

Updated:

2014-02-11

Summary:

Multiple SQL injection vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
5.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-89

Vulnerability Consequences:

Data Manipulation

References:

Source: MITRE
Type: CNA
CVE-2013-5012

Source: CCN
Type: SA56895
Symantec Web Gateway Cross-Site Scripting and SQL Injection Vulnerabilities

Source: BID
Type: UNKNOWN
65404

Source: CCN
Type: BID-65404
Symantec Web Gateway CVE-2013-5012 Multiple SQL Injection Vulnerabilities

Source: CCN
Type: SYM14-003
Symantec Web Gateway Security Management Console Multiple Security Issues

Source: CONFIRM
Type: Vendor Advisory
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140210_00

Source: XF
Type: UNKNOWN
symantec-gateway-cve20135012-sql-injection(91010)

Vulnerable Configuration:

Configuration 1:

cpe:/a:symantec:web_gateway:*:*:*:*:*:*:*:* (Version <= 5.1.1)

Configuration CCN 1:

cpe:/a:symantec:web_gateway:5.1.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK