|
Description
|
|
Multiple vulnerabilities have been reported in Symantec IM Manager, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system.
1) Input passed to the "refreshRateSetting" parameter in IMManager/Admin/IMAdminSystemDashboard.asp, "nav" and "menuitem" parameters in IMManager/Admin/IMAdminTOC_simple.asp, and "action" parameter in IMManager/Admin/IMAdminEdituser.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Input passed via the "rdProcess" parameter is not properly sanitised in IMManager/IMLogWeb/rdprocess.aspx before being used in "rdServer.ActionProcessor.ProcessAction()" calls. This can be exploited to inject and execute arbitrary shell commands.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
The vulnerabilities are reported in version 8.4.17 and prior.
|
