Symantec SecurityExpressions Cross-site Scripting and HTML Injection Vulnerability

Article:TECH45634  |  Created: 2009-10-05  |  Updated: 2009-10-05  |  Article URL http://www.symantec.com/docs/TECH45634
Article Type
Technical Solution


Issue



Symantec was notified of a cross-site scripting issue present in the Security Expression Audit and Compliance Server. The console fails to properly filter/ validate external client input from users with authorized access to the console.  Error messages may be susceptible to unauthorized manipulation to generate potentially malicious scripts being directed to unsuspecting users.

Additionally, some response error messages are not properly encoded which could allow the potential for malicious HTML content to be injected into the returned response to a user.   These issues could result in unauthorized access to other users’ sessions or to other systems on the internal network as well as unauthorized information disclosure.


Environment



SecurityExpressions Audit and Compliance Server 4.1.1

Solution



Symantec product engineers have released a hot fix for these issues in affected product versions.  Symantec recommends all customers apply the latest available update to protect against threats of this nature.

Symantec is not aware of any exploitation of or adverse customer impact from these issues.

Symantec recommends that all customers apply the available hotfix to protect against potential attempts to exploit these issues.  A zip file containing Hot Fix for for the SecurityExpressions Audit and Compliance Server Version 4.1.1 for both 32 and 64 bit versions and the necessary documentation is in the zip file attached to this article.

Attachments

seserver-4.1.1-Hot-Fix-1.zip (3.1 MBytes)

Legacy ID



49452


Article URL http://www.symantec.com/docs/TECH45634


Terms of use for this information are found in Legal Notices