Vulnerabilities > CVE-2014-1644 - Credentials Management vulnerability in Symantec Liveupdate Administrator
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The forgotten-password feature in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to reset arbitrary passwords by providing the e-mail address associated with a user account.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
| NASL family | CGI abuses |
| NASL id | SYMANTEC_LUA_2_3_2_110.NASL |
| description | The version of Symantec LiveUpdate Administrator 2.x hosted on the remote web server is prior to 2.3.2.110 (2.3.2.1). It is, therefore, affected by the following vulnerabilities : - A flaw exists with the forgotten password functionality where the password for an authorized user account can be forcefully reset. This could allow a remote attacker with knowledge of the account |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 73275 |
| published | 2014-03-31 |
| reporter | This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/73275 |
| title | Symantec LiveUpdate Administrator < 2.3.2.110 Multiple Vulnerabilities (SYM14-005) |
Seebug
| bulletinFamily | exploit |
| description | Bugtraq ID:66399 CVE ID:CVE-2014-1644 Symantec LiveUpdate Administrator是一款Symantec产品升级管理程序。 Symantec LiveUpdate Administrator管理GUI对登录/密码功能提供不正确的保护,允许攻击者在知道目标用户email地址的情况下,利用重置密码功能重置用户密码,未授权进行访问。 0 Symantec LiveUpdate Administrator 2.x Symantec LiveUpdate Administrator 2.3.2.110已经修复该漏洞,建议用户下载更新: http://www.symantec.com/business/support/index?page=content&id=TECH134809 |
| id | SSV:62001 |
| last seen | 2017-11-19 |
| modified | 2014-03-31 |
| published | 2014-03-31 |
| reporter | Root |
| title | Symantec LiveUpdate Administrator未授权访问漏洞 |
References
- http://archives.neohapsis.com/archives/bugtraq/2014-03/0172.html
- http://www.securityfocus.com/bid/66399
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140327_00
- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140328-0_Symantec_LiveUpdate_Administrator_Multiple_vulnerabilities_wo_poc_v10.txt