Command execution in Symantec Reporter CLI

Published: 2019-01-11 16:55:49
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-12237
CVSSv3 6.3 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID CWE-78
Exploitation vector Network
Public exploit N/A
Vulnerable software Reporter CLI
Vulnerable software versions Reporter CLI 10.2
Reporter CLI 10.1
Vendor URL Symantec Corporation

Security Advisory

1) OS command injection

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to OS command injection. A remote authenticated malicious administrator with Enable mode access can execute arbitrary shell commands with elevated system privileges.

Remediation

The vulnerability has been fixed in the versions 10.1.5.6, 10.2.1.8.

External links

https://support.symantec.com/en_US/article.SYMSA1465.html