Vulnerability Details CVE-2014-1644
The forgotten-password feature in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to reset arbitrary passwords by providing the e-mail address associated with a user account.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 74.6%
CVSS Severity
CVSS v2 Score 7.5
References
- http://archives.neohapsis.com/archives/bugtraq/2014-03/0172.html
- http://www.securityfocus.com/bid/66399
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140327_00
- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140328-0_Symantec_LiveUpdate_Administrator_Multiple_vulnerabilities_wo_poc_v10.txt
- http://archives.neohapsis.com/archives/bugtraq/2014-03/0172.html
- http://www.securityfocus.com/bid/66399
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140327_00
- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140328-0_Symantec_LiveUpdate_Administrator_Multiple_vulnerabilities_wo_poc_v10.txt
Products affected by CVE-2014-1644
-
cpe:2.3:a:symantec:liveupdate_administrator:1.5.3.21
-
cpe:2.3:a:symantec:liveupdate_administrator:1.5.4
-
cpe:2.3:a:symantec:liveupdate_administrator:1.5.7.19
-
cpe:2.3:a:symantec:liveupdate_administrator:2.1.0
-
cpe:2.3:a:symantec:liveupdate_administrator:2.1.2
-
cpe:2.3:a:symantec:liveupdate_administrator:2.1.3
-
cpe:2.3:a:symantec:liveupdate_administrator:2.2.1
-
cpe:2.3:a:symantec:liveupdate_administrator:2.2.2
-
cpe:2.3:a:symantec:liveupdate_administrator:2.2.2.9
-
cpe:2.3:a:symantec:liveupdate_administrator:2.3.0
-
cpe:2.3:a:symantec:liveupdate_administrator:2.3.1