Symantec IM Manager 8.x < 8.3.14 (SYM10-005 and SYM10-006)
High Nessus Plugin ID 45018
SynopsisThe instant messaging security application running on the remote Windows host may be affected by multiple vulnerabilities.
DescriptionA version of Symantec IM Manager 8.x earlier than 8.3.14 is installed on the remote Windows host. Such versions may be affected by one or both of the following vulnerabilities :
- An integer overflow vulnerability in the third-party Autonomy KeyView module can be triggered when parsing a specially crafted OLE document and lead to a heap overflow and execution of arbitrary code. (CVE-2009-3032)
- The IM Manager console fails to properly filter user input from non-privileged users with authorized access to the console, which can be exploited to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site. (CVE-2009-3036)
SolutionUpgrade to Symantec IM Manager 8.4.13 (build 8.4.1362) or later.