5 matches found
CVE-2012-0304
The CVE-2012-0304 entry concerns Symantec LiveUpdate Administrator prior to 2.3.1. The installation directory was configured with weak permissions (Everyone: Full Control), enabling a local unprivileged user to replace or modify files that can be executed with SYSTEM privileges via a Trojan horse...
CVE-2014-1644
CVE-2014-1644 affects Symantec LiveUpdate Administrator (LUA) 2.x pre-2.3.2.110. The root cause is a flawed forgotten-password flow in the management GUI (/lua/forcepasswd.do) that allows unauthenticated password resets when the attacker knows the target email address, enabling potential full acc...
CVE-2011-0545
CVE-2011-0545 describes a cross-site request forgery in Symantec LiveUpdate Administrator (LUA) prior to version 2.3. The vulnerability occurs in the adduser.do endpoint via the userRole parameter, allowing a remote attacker to hijack administrator authentication to create new administrative acco...
CVE-2011-1524
CVE-2011-1524 is an XSS vulnerability in the Symantec LiveUpdate Administrator (LUA) management login GUI prior to version 2.3. The issue allows remote attackers to inject arbitrary script via the username field, demonstrated by inserting an IFRAME into the event log. Affected component is the LU...
CVE-2014-1645
CVE-2014-1645 is an SQL injection flaw in Symantec LiveUpdate Administrator (LUA) 2.x up to version 2.3.2.110, affecting the management GUI via forcepasswd.do and related password-recovery paths. The vulnerability allows remote attackers to execute arbitrary SQL commands, potentially exfiltrating...