CVE-2010-0112

Name of the Vulnerable Software and Affected Versions Symantec IM Manager versions prior to 8.4.16

Description The issue concerns multiple SQL injection vulnerabilities in the Administrative Interface of Symantec IM Manager. These vulnerabilities allow remote attackers to execute arbitrary SQL commands via various parameters in different actions to specific API endpoints, such as rdpageimlogic.aspx and IMAdminReportTrendFormRun.asp. The vulnerable parameters include rdReport, selclause, whereTrendTimeClause, TrendTypeForReport, whereProtocolClause, groupClause, loginTimeStamp, dbo, dateDiffParam, whereClause, groupList, and email. The vulnerabilities are related to the sGetDefinition function in rdServer.dll and SQL statements contained within certain report files.

Recommendations For Symantec IM Manager versions prior to 8.4.16, update to version 8.4.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as rdpageimlogic.aspx and IMAdminReportTrendFormRun.asp, until a patch is available. Avoid using the vulnerable parameters, such as rdReport, selclause, whereTrendTimeClause, TrendTypeForReport, whereProtocolClause, groupClause, loginTimeStamp, dbo, dateDiffParam, whereClause, groupList, and email, in the affected API endpoints until the issue is resolved.