Summary
This host is installed with Symantec IM Manager and is prone to code injection vulnerability.
Impact
Successful exploitation will allow attacker to execute arbitrary code on the system.
Impact Level: Application
Solution
Upgarade to Symantec IM Manager version 8.4.17 or later.
For updates refer to http://www.symantec.com/business/im-manager
Insight
The flaw is caused by an input validation error in the 'ScheduleTask' method of the 'IMAdminSchedTask.asp' page within the administration console when processing a POST variable via an 'eval()' call, which could be exploited by attackers to inject and execute arbitrary ASP code by enticing a logged-in console user to visit a malicious link.
Affected
Symantec IM Manager versions 8.4.16 and prior
References
- http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110131_00
- http://www.vupen.com/english/advisories/2011/0259
- http://www.zerodayinitiative.com/advisories/ZDI-11-037
- http://xforce.iss.net/xforce/xfdb/65040
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2010-3719 -
CVSS Base Score: 8.5
AV:N/AC:M/Au:S/C:C/I:C/A:C
Related Vulnerabilities
- Andy's PHP Knowledgebase 'step5.php' Remote PHP Code Execution Vulnerability
- 'research_display.php' SQL Injection Vulnerability
- appRain CMF SQL Injection And Cross Site Scripting Vulnerabilities
- Adobe ColdFusion Components (CFC) Denial Of Service Vulnerability
- AV Arcade 'ava_code' Cookie Parameter SQL Injection Vulnerability