Information Disclosure Vulnerability in Reporter
SUMMARY
The Symantec Reporter web UI is susceptible to an information disclosure vulnerability. A malicious authenticated Reporter administrator user can obtain passwords for external servers that they might not otherwise be authorized to access. The malicious user can also obtain the passwords of other Reporter web UI users.
AFFECTED PRODUCTS
| Reporter | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2019-12753 | 10.3 | Upgrade to 10.3.2.5. |
| 10.4 | Not vulnerable, fixed | |
ISSUES
| CVE-2019-12753 | |
|---|---|
| Severity / CVSSv3 | Medium / 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 109829 / NVD: CVE-2019-12753 |
| Impact | Information disclosure |
| Description | An information disclosure vulnerability in the Reporter web UI allows a malicious authenticated administrator user to obtain passwords for external SMTP, FTP, FTPS, LDAP, and Cloud Log Download servers that they might not otherwise be authorized to access. The malicious administrator user can also obtain the passwords of other Reporter web UI users. |
MITIGATION
This vulnerability has security impact only when Reporter is configured with multiple administrator users. The first authenticated administrator can configure the external server passwords on Reporter. The second, malicious, authenticated administrator user might not be authorized to access the external servers but can obtain the passwords through the Reporter web UI.
ACKNOWLEDGEMENTS
- CVE-2019-12753: Australian Taxation Office – VMR team
REVISION
2019-08-29: Advisory status moved to Closed.
2019-08-27: initial public release