CVE-2014-9224

Symantec SCSP/SDCS:SA <6.0 MP1 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Exploits (1)

exploitdb WORKING POC

webappsmultiple

https://www.exploit-db.com/exploits/35915

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/130060/Symantec-SDCS-SA-SCSP-XSS-Bypass-SQL-Injection-Disclosure.html

[Mailing List] http://seclists.org/fulldisclosure/2015/Jan/91

[Vendor Advisory] http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/534527/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/72093

Scores

EPSS 0.0398

EPSS Percentile 88.4%

Details

CWE

CWE-79

Status published

Products (2)

broadcom/symantec_critical_system_protection 5.2.9

symantec/data_center_security 6.0.0

Published Jan 21, 2015

Tracked Since Feb 18, 2026