Symantec IM Manager < 8.4.16 Multiple SQL Injections (SYM10-010)

This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.


Synopsis :

A web application on the remote Windows host may be affected by
multiple SQL injection vulnerabilities.

Description :

The version of Symantec IM Manager installed on the remote Windows
host is earlier than 8.4.16. Such versions are reportedly affected by
multiple SQL injection vulnerabilities in its administration console.

An unauthenticated, remote attacker may be able to exploit these issues
to compromise the application's database.

See also :

http://www.zerodayinitiative.com/advisories/ZDI-10-220/
http://www.zerodayinitiative.com/advisories/ZDI-10-221/
http://www.zerodayinitiative.com/advisories/ZDI-10-222/
http://www.zerodayinitiative.com/advisories/ZDI-10-223
http://www.zerodayinitiative.com/advisories/ZDI-10-224/
http://www.zerodayinitiative.com/advisories/ZDI-10-225/
http://www.zerodayinitiative.com/advisories/ZDI-10-226/
http://seclists.org/fulldisclosure/2010/Oct/429
http://seclists.org/fulldisclosure/2010/Oct/430
http://seclists.org/fulldisclosure/2010/Oct/426
http://seclists.org/fulldisclosure/2010/Oct/424
http://seclists.org/fulldisclosure/2010/Oct/425
http://seclists.org/fulldisclosure/2010/Oct/427
http://seclists.org/fulldisclosure/2010/Oct/428
http://www.nessus.org/u?bf68d8df

Solution :

Upgrade to Symantec IM Manager 8.4.16 (build 8.4.1393) or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 50432 ()

Bugtraq ID: 44299

CVE ID: CVE-2010-0112

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now