ActiveX Control Vulnerability in Symantec Backup Exec for Windows Server
CVE-2007-6017

Currently unrated

Key Information:

Vendor: Symantec
Status: Backup Exec For Windows Server
Vendor: CVE Published:; 29 February 2008

Summary

The PVATLCalendar.PVCalendar.1 ActiveX control in the Media Server component of Symantec Backup Exec for Windows Server exposes a vulnerability through its unsafe Save method. This allows remote attackers to initiate a denial of service by crashing the browser or gain the capability to create or overwrite arbitrary files using manipulated string values. Notably, the vendor indicates that while authenticated user involvement is suggested, attackers can exploit client machines with this control loaded without needing any authentication.

References

http://support.veritas.com/docs/300471

x_refsource_CONFIRM

http://securitytracker.com/id?1019525

vdb-entryx_refsource_SECTRACK

http://www.symantec.com/avcenter/security/Content/2008.02...

x_refsource_CONFIRM

EPSS Score

7% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Feb 29, 2008
Vulnerability Reserved
Nov 19, 2007