cnvd - cnvd-2015-00461

CNVD-2015-00461

Vulnerability from cnvd - Published: 2015-01-22

Title

多个Symantec产品跨站脚本漏洞

Description

Symantec Critical System Protection是一套可防御零时差威胁、强化系统和协助维持遵循状态的入侵侦测软件。Symantec Data Center Security: Server Advanced是赛门铁克推出的系统防护软件。多个Symantec产品存在跨站脚本漏洞，攻击者可能利用这些漏洞在受影响的不知情用户浏览器的上下文中执行任意脚本代码。可能窃取基于cookie的认证证书，劫持浏览器会话，并启动其他攻击。

Severity

中

Patch Name

多个Symantec产品跨站脚本漏洞的补丁

Patch Description

Formal description

用户可联系供应商获得补丁信息： http://www.symantec.com/index.jsp

Reference

http://www.securityfocus.com/bid/72093

Impacted products

Name
['Symantec Critical System Protection 5.2.9 MP6', 'Symantec Data Center Security: Server Advanced 6.0.1']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "72093"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2014-9224"
    }
  },
  "description": "Symantec Critical System Protection\u662f\u4e00\u5957\u53ef\u9632\u5fa1\u96f6\u65f6\u5dee\u5a01\u80c1\u3001\u5f3a\u5316\u7cfb\u7edf\u548c\u534f\u52a9\u7ef4\u6301\u9075\u5faa\u72b6\u6001\u7684\u5165\u4fb5\u4fa6\u6d4b\u8f6f\u4ef6\u3002Symantec Data Center Security: Server Advanced\u662f\u8d5b\u95e8\u94c1\u514b\u63a8\u51fa\u7684\u7cfb\u7edf\u9632\u62a4\u8f6f\u4ef6\u3002\r\n\r\n\u591a\u4e2aSymantec\u4ea7\u54c1\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u8fd9\u4e9b\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u7684\u4e0d\u77e5\u60c5\u7528\u6237\u6d4f\u89c8\u5668\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002\u53ef\u80fd\u7a83\u53d6\u57fa\u4e8ecookie\u7684\u8ba4\u8bc1\u8bc1\u4e66\uff0c\u52ab\u6301\u6d4f\u89c8\u5668\u4f1a\u8bdd\uff0c\u5e76\u542f\u52a8\u5176\u4ed6\u653b\u51fb\u3002",
  "discovererName": "Stefan Viehbock",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://www.symantec.com/index.jsp",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-00461",
  "openTime": "2015-01-22",
  "patchDescription": "Symantec Critical System Protection\u662f\u4e00\u5957\u53ef\u9632\u5fa1\u96f6\u65f6\u5dee\u5a01\u80c1\u3001\u5f3a\u5316\u7cfb\u7edf\u548c\u534f\u52a9\u7ef4\u6301\u9075\u5faa\u72b6\u6001\u7684\u5165\u4fb5\u4fa6\u6d4b\u8f6f\u4ef6\u3002Symantec Data Center Security: Server Advanced\u662f\u8d5b\u95e8\u94c1\u514b\u63a8\u51fa\u7684\u7cfb\u7edf\u9632\u62a4\u8f6f\u4ef6\u3002\r\n\u591a\u4e2aSymantec\u4ea7\u54c1\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u8fd9\u4e9b\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u7684\u4e0d\u77e5\u60c5\u7528\u6237\u6d4f\u89c8\u5668\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002\u53ef\u80fd\u7a83\u53d6\u57fa\u4e8ecookie\u7684\u8ba4\u8bc1\u8bc1\u4e66\uff0c\u52ab\u6301\u6d4f\u89c8\u5668\u4f1a\u8bdd\uff0c\u5e76\u542f\u52a8\u5176\u4ed6\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u4e2aSymantec\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Symantec Critical System Protection 5.2.9 MP6",
      "Symantec Data Center Security: Server Advanced 6.0.1"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/72093",
  "serverity": "\u4e2d",
  "submitTime": "2015-01-20",
  "title": "\u591a\u4e2aSymantec\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2014-9224 (GCVE-0-2014-9224)

Vulnerability from cvelistv5 – Published: 2015-01-21 11:00 – Updated: 2024-08-06 13:40

Summary

Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Severity ?

No CVSS data available.

CWE

Assigner

symantec

References

URL

Tags

	http://www.symantec.com/security_response/securit…	x_refsource_CONFIRM
	http://www.securityfocus.com/archive/1/534527/100…	mailing-listx_refsource_BUGTRAQ
	http://packetstormsecurity.com/files/130060/Syman…	x_refsource_MISC
	http://seclists.org/fulldisclosure/2015/Jan/91	mailing-listx_refsource_FULLDISC
	http://www.securityfocus.com/bid/72093	vdb-entryx_refsource_BID

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T13:40:24.641Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20150119_00"
          },
          {
            "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/534527/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html"
          },
          {
            "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2015/Jan/91"
          },
          {
            "name": "72093",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/72093"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-01-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5",
        "shortName": "symantec"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20150119_00"
        },
        {
          "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/534527/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html"
        },
        {
          "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2015/Jan/91"
        },
        {
          "name": "72093",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/72093"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@symantec.com",
          "ID": "CVE-2014-9224",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20150119_00",
              "refsource": "CONFIRM",
              "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20150119_00"
            },
            {
              "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/534527/100/0/threaded"
            },
            {
              "name": "http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html"
            },
            {
              "name": "20150122 SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) \u0026 SCSP",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2015/Jan/91"
            },
            {
              "name": "72093",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/72093"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5",
    "assignerShortName": "symantec",
    "cveId": "CVE-2014-9224",
    "datePublished": "2015-01-21T11:00:00",
    "dateReserved": "2014-12-03T00:00:00",
    "dateUpdated": "2024-08-06T13:40:24.641Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-00461

CVE-2014-9224 (GCVE-0-2014-9224)

Tags

Sightings

Nomenclature