#VU42677 Cross-site scripting in Backup Exec - CVE-2013-4676
Vulnerability identifier: #VU42677
Vulnerability risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-79
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Backup Exec
Client/Desktop applications /
Multimedia software
Vendor: Veritas Technologies
Description
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 when processing vectors involving a (1) custom-reports generation page, (2) Storage Devices creation page, or (3) jobs creation page in the management console; or (4) a Backup Exec server-management page in the beutility console. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
Backup Exec: 2010_r3 - 2012
External links
https://osvdb.org/95941
https://osvdb.org/95942
https://www.securityfocus.com/bid/61486
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130801_00
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
