Strike ID:
E19-0y6t1
CVSS:
3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
False Positive:
f
Variants:
1
Year:
2019

Description

This strike simulates a stored XSS attack on Symantec DLP 15.5 MP1. The flaw exists in /ProtectManager/enforce/admin/senderrecipientpatterns/list endpoint due to lack of sanitization for the name parameter. A successful authenticated attacker is thus able gain control of victims browser.

CVE

References

MSB

BID

ExploitDB

Secunia

Security Tracker

Metasploit

ZDI

Google

OSVDB

{}