Skip to main content

Symantec LiveUpdate Administrator Unauthenticated Vulnerabilities

Last Update Date: 31 Mar 2014 18:00 Release Date: 31 Mar 2014 3984 Views

RISK: High Risk

TYPE: Security software and application - Security Software & Appliance

TYPE: Security Software & Appliance

Two vulnerabilities have been identified in Symantec LiveUpdate Administrator, which can be exploited by remote user to inject SQL commands. A remote user can reset account passwords to arbitrary values.

  • The management web interface does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.
  • The management web interface does not provide proper protection for the forgotten password function. A remote user with knowledge of a valid user account email address can reset the target account's password to an arbitrary value.

Impact

  • Security Restriction Bypass

System / Technologies affected

  • Symantec LiveUpdate Administrator 2.3.2 and prior

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Update to version 2.3.2.110.

Vulnerability Identifier


Source


Related Link