CVE-2007-6017

Name of the Vulnerable Software and Affected Versions Symantec Backup Exec for Windows Server versions 11.0.6235 through 11.0.7170 Symantec Backup Exec for Windows Server version 12.0.1364

Description The issue allows remote attackers to cause a denial of service or create and overwrite arbitrary files via string values of certain properties, including DOWText0, DOWText1, DOWText2, DOWText3, DOWText4, DOWText5, DOWText6, MonthText0, MonthText1, MonthText2, MonthText3, MonthText4, MonthText5, MonthText6, MonthText7, MonthText8, MonthText9, MonthText10, and MonthText11. It does not require authentication to attack a client machine that loads the vulnerable control.

Recommendations For Symantec Backup Exec for Windows Server versions 11.0.6235 through 11.0.7170, consider disabling the Save method in the PVATLCalendar.PVCalendar.1 ActiveX control until a patch is available. For Symantec Backup Exec for Windows Server version 12.0.1364, consider disabling the Save method in the PVATLCalendar.PVCalendar.1 ActiveX control until a patch is available. As a temporary workaround, restrict access to the properties DOWText0 through DOWText6 and MonthText0 through MonthText11 to minimize the risk of exploitation.