CVE-2009-3029 - OpenCVE

Cross-site scripting (XSS) vulnerability in the console in Symantec SecurityExpressions Audit and Compliance Server 4.1.1, 4.1, and earlier allows remote authenticated users to inject arbitrary web script or HTML via "external client input" that triggers crafted error messages.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Symantec	Securityexpressions Audit And Compliance Server

Configuration 1 [-]

OR	cpe:2.3:a:symantec:securityexpressions_audit_and_compliance_server::::::::
	cpe:2.3:a:symantec:securityexpressions_audit_and_compliance_server:4.1:::::::*

References

Link	Resource
http://secunia.com/advisories/36972	Vendor Advisory
http://securitytracker.com/id?1022989
http://www.osvdb.org/58651
http://www.securityfocus.com/bid/36570	Patch
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091006_00
http://www.vupen.com/english/advisories/2009/2849	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2009-10-15T10:00:00

Updated: 2013-02-07T10:00:00

Reserved: 2009-08-31T00:00:00

Link: CVE-2009-3029

JSON object: View

NVD Information

Status : Modified

Published: 2009-10-15T10:30:00.453

Modified: 2013-02-07T04:21:27.827

Link: CVE-2009-3029

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-10-06T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the console in Symantec SecurityExpressions Audit and Compliance Server 4.1.1, 4.1, and earlier allows remote authenticated users to inject arbitrary web script or HTML via \"external client input\" that triggers crafted error messages."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-02-07T10:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2009-2849", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/2849"}, {"name": "36972", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/36972"}, {"name": "58651", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/58651"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091006_00"}, {"name": "1022989", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1022989"}, {"name": "36570", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/36570"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-3029", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the console in Symantec SecurityExpressions Audit and Compliance Server 4.1.1, 4.1, and earlier allows remote authenticated users to inject arbitrary web script or HTML via \"external client input\" that triggers crafted error messages."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2009-2849", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/2849"}, {"name": "36972", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36972"}, {"name": "58651", "refsource": "OSVDB", "url": "http://www.osvdb.org/58651"}, {"name": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091006_00", "refsource": "CONFIRM", "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091006_00"}, {"name": "1022989", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1022989"}, {"name": "36570", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36570"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-3029", "datePublished": "2009-10-15T10:00:00", "dateReserved": "2009-08-31T00:00:00", "dateUpdated": "2013-02-07T10:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:symantec:securityexpressions_audit_and_compliance_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D4E75BA-D9C7-4568-A978-82A304A4BDA6", "versionEndIncluding": "4.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:symantec:securityexpressions_audit_and_compliance_server:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "4A5B8408-80B7-4EAC-8439-EB35D7435CB6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the console in Symantec SecurityExpressions Audit and Compliance Server 4.1.1, 4.1, and earlier allows remote authenticated users to inject arbitrary web script or HTML via \"external client input\" that triggers crafted error messages."}, {"lang": "es", "value": "Ejecuci\u00f3n de comandos en sitios cruzados (XSS) en la consola de Symantec SecurityExpressions Audit y Compliance Server v4.1.1, v4.1 y anteriores permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML a trav\u00e9s de la \"entrada de clientes externos\" lo cual provoca mensajes de error manipulados."}], "id": "CVE-2009-3029", "lastModified": "2013-02-07T04:21:27.827", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-10-15T10:30:00.453", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36972"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1022989"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/58651"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/36570"}, {"source": "cve@mitre.org", "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091006_00"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/2849"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}