CVE-2016-3652

MEDIUM

Symantec Endpoint Protection Manager <12.1 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-3652. PoCs published by hyp3rlinx.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Symantec Endpoint Protection Manager (SEPM) v12.1, including XSS, CSRF, and Open Redirect. It includes proof-of-concept examples for each vulnerability type, such as bypassing HttpOnly cookie protection via XSS and redirecting users to malicious URLs.

Description

Multiple cross-site scripting (XSS) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Exploits (1)

exploitdb WORKING POC VERIFIED
by hyp3rlinx · textwebappsphp
https://www.exploit-db.com/exploits/40041

The exploit demonstrates multiple vulnerabilities in Symantec Endpoint Protection Manager (SEPM) v12.1, including XSS, CSRF, and Open Redirect. It includes proof-of-concept examples for each vulnerability type, such as bypassing HttpOnly cookie protection via XSS and redirecting users to malicious URLs.

Classification
Working Poc 100%
Attack Type
Xss | Csrf | Other
Complexity
Trivial
Reliability
Reliable
Target: Symantec Endpoint Protection Manager v12.1
Auth required
Prerequisites: Access to the SEP Management console · Victim interaction for CSRF and Open Redirect
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036196
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40041/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91444

Scores

CVSS v3 5.4
EPSS 0.0255
EPSS Percentile 83.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
symantec/endpoint_protection_manager < 12.1.6
Published Jun 30, 2016
Tracked Since Feb 18, 2026