Four vulnerabilities in total were discovered in Symantec Data Center Security: Advanced Server (SDCS: SA). Vulnerabilities allow a potential attacker to bypass customer protection policies and gain access to the system and the database.
Security issues include the ability to import SQL (SQL injection), cross-site scripting (XSS), disclosure of information and bypassing protection policy.
Stefan Viehbock, security researcher at the SEC Consult Vulnerability Lab, discovered the vulnerabilities and reported them to Symantec at 20 October, 2014.
According to one its publication on Thursday, with the SQL injection, which states as CVE-2014-7289, an attacker could send SQL commands and run because of invalid input invalidation which allows read / write access to any record being available in a database .
During his research, Viehbock managed to add a new privilege admin privileges to SDCS: SA.
Using the XSS glitch (CVE-2014-9224) the investigator stated that an attacker could steal a user's session and gain access to the administrator's interface without permission.
With the third vulnerability (CVE-2014-9225), an attacker could benefit from accessing an unprotected script (https: //: 8081 / webui / admin / environment.jsp) containing internal details about requests to the server , such as file paths on the server and version information (OS, Java).
The fourth vulnerability discovered by Viehbock is referred to as CVE-2014-9226, and if utilized, it can override pre-selected security policies and bypass SDCS: SA client.
Symantec has already released patches, but only for SCSP products 5.2.9 MP6 and SDCS: SA 6.0 MP1.