Symantec LiveUpdate Administrator Unauthenticated Vulnerabilities
Last Update Date:
31 Mar 2014 18:00
Release Date:
31 Mar 2014
3984
Views
RISK: High Risk
TYPE: Security software and application - Security Software & Appliance
Two vulnerabilities have been identified in Symantec LiveUpdate Administrator, which can be exploited by remote user to inject SQL commands. A remote user can reset account passwords to arbitrary values.
- The management web interface does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.
- The management web interface does not provide proper protection for the forgotten password function. A remote user with knowledge of a valid user account email address can reset the target account's password to an arbitrary value.
Impact
- Security Restriction Bypass
System / Technologies affected
- Symantec LiveUpdate Administrator 2.3.2 and prior
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Update to version 2.3.2.110.
Vulnerability Identifier
Source
Related Link
Share with