CVE-2015-8157
moderate-risk
Published 2016-06-08
SQL injection vulnerability in the Management Server in Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for Controllers and Devices (SES:CSP) 6.5.0 before MP1, Critical System Protection (SCSP) before 5.2.9 MP6, Data Center Security: Server Advanced Server (DCS:SA) 6.x before 6.5 MP1 and 6.6 before MP1, and Data Center Security: Server Advanced Server and Agents (DCS:SA) through 6.6 MP1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
Do I need to act?
-
0.40% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (6)
Symantec Data Center Security Server And Agents
Symantec Embedded Security Critical System Protection
Symantec Critical System Protection
Symantec Embedded Security Critical System Protection For Controllers And Devices
Affected Vendors
References (4)
Third Party Advisory
http://www.securityfocus.com/bid/90889
Technical Description
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=securit...
Third Party Advisory
http://www.securityfocus.com/bid/90889
Technical Description
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=securit...
45
/ 100
moderate-risk
Severity
30/34 · Critical
Exploitability
2/34 · Minimal
Exposure
13/34 · Low