Symantec LiveUpdate Administrator < 2.3.2.110 Multiple Vulnerabilities (SYM14-005)

high Nessus Plugin ID 73275

Language:

Synopsis

A web application on the remote host is affected by multiple vulnerabilities.

Description

The version of Symantec LiveUpdate Administrator 2.x hosted on the remote web server is prior to 2.3.2.110 (2.3.2.1). It is, therefore, affected by the following vulnerabilities :

- A flaw exists with the forgotten password functionality where the password for an authorized user account can be forcefully reset. This could allow a remote attacker with knowledge of the account's email address to reset the password and potentially gain full access to the administrator web interface. (CVE-2014-1644)

- Multiple SQL injection flaws exist within the application, including the password recovery functionality. This could allow a remote attacker to inject or manipulate SQL queries, allowing the manipulation or disclosure of arbitrary data.
(CVE-2014-1645)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to LiveUpdate Administrator 2.3.2.110 or later.

Plugin Details

Severity: High

ID: 73275

File Name: symantec_lua_2_3_2_110.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 3/31/2014

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2014-1645

Vulnerability Information

CPE: cpe:/a:symantec:liveupdate_administrator

Required KB Items: www/symantec_lua

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 3/27/2014

Vulnerability Publication Date: 3/27/2014

Reference Information

CVE: CVE-2014-1644, CVE-2014-1645

BID: 66399, 66400

IAVB: 2014-B-0034

Detections

Analytics