CVE-2014-3437

Symantec Endpoint Protection Manager < 12.1.4 - XXE

Title source: rule

Description

The management console in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU5 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Exploits (1)

exploitdb WRITEUP

webappsjsp

https://www.exploit-db.com/exploits/35181

View Code ZIP pw:eip

References (6)

[Exploit] http://seclists.org/fulldisclosure/2014/Nov/7

[Vendor Advisory] http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141105_00

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/98525

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/533918/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/70843

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1031176

Scores

EPSS 0.1768

EPSS Percentile 95.1%

Details

Status published

Products (5)

symantec/endpoint_protection_manager 12.1.0

symantec/endpoint_protection_manager 12.1.1

symantec/endpoint_protection_manager 12.1.2

symantec/endpoint_protection_manager 12.1.3

symantec/endpoint_protection_manager < 12.1.4

Published Nov 07, 2014

Tracked Since Feb 18, 2026