Lofi

**Name of the Vulnerable Software and Affected Versions** Symantec LiveUpdate Administrator versions prior to 2.3 **Description** A cross-site request forgery issue affects the adduser.do endpoint, allowing remote attackers to hijack administrator authentication for creating new administrative accounts, potentially having other unspecified impacts. The `userRole` parameter is involved in this issue. **Recommendations** For versions prior to 2.3, update to version 2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the adduser.do endpoint to minimize the risk of exploitation. Avoid using the `userRole` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Symantec LiveUpdate Administrator (LUA) versions prior to 2.3 **Description** A cross-site scripting (XSS) issue exists in the management login GUI page, allowing remote attackers to inject arbitrary web script or HTML via the `username` field. This can be demonstrated by injecting an IFRAME element into the event log. **Recommendations** For versions prior to 2.3, update to version 2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the management login GUI page to minimize the risk of exploitation. Avoid using the `username` field in the affected login page until the issue is resolved.