XML External Entity Vulnerability in Symantec Endpoint Protection and Protection Center
CVE-2013-5014

Currently unrated

Key Information:

Vendor: Symantec
Status: Protection Center; Endpoint Protection Manager
Vendor: CVE Published:; 14 February 2014

Summary

The management console in Symantec Endpoint Protection Manager versions earlier than 11.0.7405.1424 and 12.1 versions before 12.1.4023.4080, as well as in Symantec Protection Center Small Business Edition versions prior to 12.1.4023.4080, is susceptible to XML External Entity (XXE) attacks. This flaw enables remote attackers to exploit the management console, allowing them to read arbitrary files on the server. The vulnerability arises from processing XML data that includes an external entity declaration along with an entity reference.

References

http://www.symantec.com/security_response/securityupdates...

x_refsource_CONFIRM

https://www.sec-consult.com/fxdata/seccons/prod/temedia/a...

x_refsource_MISC

http://www.exploit-db.com/exploits/31853

exploitx_refsource_EXPLOIT-DB

EPSS Score

86% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Feb 14, 2014
Vulnerability Reserved
Jul 29, 2013