SQL Injection Vulnerabilities in Symantec IM Manager Administrative Interface
CVE-2010-0112

Currently unrated

Key Information:

Vendor: Symantec
Status: Im Manager
Vendor: CVE Published:; 28 October 2010

Summary

Multiple SQL injection vulnerabilities exist in the Administrative Interface of the IIS extension in Symantec's IM Manager before version 8.4.16. These vulnerabilities allow unauthorized remote attackers to execute arbitrary SQL commands through various parameters in the rdpageimlogic.aspx and other related scripts. Specific parameters such as rdReport, DetailReportGroup actions, and various clauses in user report requests are exploitable, enabling attackers to interact with the underlying database in potentially harmful ways.

References

http://www.zerodayinitiative.com/advisories/ZDI-10-220/

x_refsource_MISC

http://www.vupen.com/english/advisories/2010/2789

vdb-entryx_refsource_VUPEN

http://www.zerodayinitiative.com/advisories/ZDI-10-226/

x_refsource_MISC

Timeline

Vulnerability published
Oct 28, 2010
Vulnerability Reserved
Dec 31, 2009