CVE-2011-1524

Cross-site scripting (XSS) vulnerability in the management login GUI page in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to inject arbitrary web script or HTML via the username field, as demonstrated by injecting an IFRAME element into the event log, a different vulnerability than CVE-2011-0545.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
VendorProductVersion
symantecliveupdate_administrator
𝑥
≤ 2.2.2.9
symantecliveupdate_administrator
2.1.0
symantecliveupdate_administrator
2.1.2
symantecliveupdate_administrator
2.1.3
symantecliveupdate_administrator
2.2.1
symantecliveupdate_administrator
2.2.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://securityreason.com/securityalert/8166
http://securitytracker.com/id?1025242
http://sotiriu.de/adv/NSOADV-2011-001.txt
http://www.exploit-db.com/exploits/17026
http://www.securityfocus.com/archive/1/517109/100/0/threaded
http://www.securityfocus.com/bid/46856
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110321_00
http://www.vupen.com/english/advisories/2011/0727
https://exchange.xforce.ibmcloud.com/vulnerabilities/66213
http://securityreason.com/securityalert/8166
http://securitytracker.com/id?1025242
http://sotiriu.de/adv/NSOADV-2011-001.txt
http://www.exploit-db.com/exploits/17026
http://www.securityfocus.com/archive/1/517109/100/0/threaded
http://www.securityfocus.com/bid/46856
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110321_00
http://www.vupen.com/english/advisories/2011/0727
https://exchange.xforce.ibmcloud.com/vulnerabilities/66213