Vulnerability Name:

CVE-2014-9224 (CCN-100359)

Assigned:2014-12-03
Published:2015-01-19
Updated:2021-08-04
Summary:Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVSS v3 Severity:3.4 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
3.8 Low (CCN CVSS v2 Vector: AV:A/AC:M/Au:S/C:P/I:P/A:N)
3.3 Low (CCN Temporal CVSS v2 Vector: AV:A/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: CCN
Type: BugTraq Mailing List, Thu Jan 22 2015 - 04:36:20 CST
Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) & SCSP

Source: MITRE
Type: CNA
CVE-2014-9224

Source: MISC
Type: UNKNOWN
http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html

Source: FULLDISC
Type: UNKNOWN
20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) & SCSP

Source: BUGTRAQ
Type: UNKNOWN
20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) & SCSP

Source: BID
Type: UNKNOWN
72093

Source: CCN
Type: BID-72093
Multiple Symantec Products CVE-2014-9224 Multiple Cross Site Scripting Vulnerabilities

Source: CCN
Type: Symantec Security Advisory SYM15-001
Symantec Data Center Security: Server Advanced, Multiple Security Issues on Management Server and Protection Policies Rule Bypass

Source: CONFIRM
Type: Vendor Advisory
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00

Source: XF
Type: UNKNOWN
scsp-cve20149224-xss(100359)

Source: CCN
Type: Packet Storm Security [01-22-2015]
Symantec SDCS:SA / SCSP XSS / Bypass / SQL Injection / Disclosure

Vulnerable Configuration:Configuration 1:
  • cpe:/a:broadcom:symantec_critical_system_protection:5.2.9:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:symantec:data_center_security:6.0.0:*:*:*:server_advanced:*:*:*

    • Configuration CCN 1:
  • cpe:/a:broadcom:symantec_critical_system_protection:5.2.9:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    broadcom symantec critical system protection 5.2.9
    symantec data center security 6.0.0
    symantec critical system protection 5.2.9