Vigil@nce - Symantec Endpoint Protection: multiple vulnerabilities
August 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of Symantec Endpoint
Protection.
Impacted products: Symantec Endpoint Protection.
Severity: 2/4.
Creation date: 29/06/2016.
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in Symantec Endpoint
Protection.
An attacker can trigger a Cross Site Request Forgery, in order to
force the victim to perform operations. [severity:2/4;
CVE-2016-3647]
An attacker can try many authentication attempts since accounts
are never locked. [severity:1/4; CVE-2016-3648]
An attacker can get information on existing administrator
accounts. [severity:1/4; CVE-2016-3649]
An attacker can get server credentials. [severity:1/4;
CVE-2016-3650]
An attacker can trigger a Cross Site Scripting via a DOM
interface, in order to run JavaScript code in the context of the
web site. [severity:2/4; CVE-2016-3651]
An attacker can trigger a Cross Site Scripting via a management
console, in order to run JavaScript code in the context of the web
site. [severity:2/4; CVE-2016-3652]
An attacker can trigger a Cross Site Request Forgery via a
management console, in order to force the victim to perform
operations. [severity:2/4; CVE-2016-3653]
An attacker can deceive the user, in order to redirect him to a
malicious site. [severity:1/4; CVE-2016-5304]
An attacker can change a DOM interface to manipulate a link on php
script. [severity:1/4; CVE-2016-5305]
An attacker can bypass "Strict transport security" rules using the
port 8445. [severity:1/4; CVE-2016-5306]
An attacker can traverse directories in the management console, in
order to read a file outside the root path. [severity:2/4;
CVE-2016-5307]
An attacker can exploit race conditions, in order to escalate his
privileges. [severity:1/4; CVE-2015-8801]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Symantec-Endpoint-Protection-multiple-vulnerabilities-19996