Support Content Notification - Support Portal

Symantec IT Management Suite Multiple Issues

Product/Component

IT Management Suite

0 more products

Notification Id

1383

Last Updated

05 March 2020

Initial Publication Date

31 October 2016

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

6.7

WorkAround

Affected CVE

SUMMARY

Symantec has released updates to address two security issues: a cross-site scripting (XSS) issue and a denial of service (DoS) issue reported in the Symantec IT Management Suite (ITMS) workflow process manager console.

AFFECTED PRODUCTS

Symantec IT Manage Suite Workflow Process Manager Console

CVE

Affected Version(s)

Remediation

CVE-2016-6588

CVE-2016-6589

Prior to 8.0 HF4

Upgrade to 8.0 HF4

ISSUES

CVE-2016-6588
Severity/CVSSv3:	Medium / 6.7 AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
References: Impact:	Securityfocus: BID 93952 / NVD: CVE-2016-6588 Cross site scripting
Description:	Symantec was notified of a reflected cross-site scripting (XSS) issue found in the ITMS 8.0 workflow process manager console. This was due to the failure to properly filter user-supplied input during an HTTP request to the workflow process manager console. XSS issues are the result of insufficient validation/sanitation of user input and server output. A successful exploitation of this type of issue is possible should a properly authenticated user click on a maliciously crafted link or an authenticated user with access to the management console submit a specifically formatted HTTP request. Depending on the nature of the link, it is possible for arbitrary HTML requests and scripts to be executed in the context of the user, potentially allowing unauthorized access to or modification of ITMS information. If an external attacker wanted to take advantage of this issue, they would need to successfully entice an authorized console user to visit a malicious website or click a malicious HTML link in an email. In a typical installation, the Symantec ITMS workflow process manager console should not be accessible outside of the network environment, and access should be restricted to specified users/administrators. Web browsers used by authorized users to manage the Symantec ITMS workflow process manager should never be used to browse external websites during an active administrative session. These restrictions greatly reduce exposure to external exploit attempts.

CVE-2016-6589
Severity/CVSSv3:	Low / 3.0 AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
References: Impact:	Securityfocus: BID 93951 / NVD: CVE-2016-6589 Denial of service
Description:	The ITMS workflow process manager console login window does not properly sanitize user input. An authorized network user with access to the workflow process manager console application could potentially input large quantities of data. This could cause reduced responsiveness in the workflow process manager console application’s functionality.

ACKNOWLEDGEMENTS

Marcin Zięba of Prevenity.com (CVE-2016-6588, CVE-2016-6589)