Symantec Endpoint Protection Manager XXE and SQL Injection Vulnerabilities

Added: 02/24/2014
CVE: CVE-2013-5014
BID: 65466
OSVDB: 103306


Symantec Endpoint Protection, by Symantec Corporation, is an antivirus and personal firewall product designed to be centrally managed in corporate environments by the Symantec Endpoint Protection Manager (SEPM). The SEPM management console listens on TCP port 9090.


The management console for Symantec Endpoint Protection Manager is vulnerable to External XML Entity (XXE) injection (CVE-2013-5014) due to improper sanitization of external XML data. This vulnerability could potentially allow unauthorized access to restricted server-side data and console management functionality. Symantec Endpoint Protection Manager's management console is also vulnerable to SQL injection (CVE-2013-5015) due to insufficient sanitization of local queries made against the backend database. The XXE injection vulnerability can be leveraged to exploit the local access SQL injection vulnerability.


Apply the updates as described in Symantec Security Advisory SYM14-004.



This exploit was tested against the default Symantec Endpoint Protection Manager installation using embedded database on Windows Server 2003.



Back to exploit index