CVE-2015-8799
moderate-risk
Published 2016-06-08
Directory traversal vulnerability in the Management Server in Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for Controllers and Devices (SES:CSP) 6.5.0 before MP1, Critical System Protection (SCSP) before 5.2.9 MP6, Data Center Security: Server Advanced Server (DCS:SA) 6.x before 6.5 MP1 and 6.6 before MP1, and Data Center Security: Server Advanced Server and Agents (DCS:SA) through 6.6 MP1 allows remote authenticated users to write update-package data to arbitrary agent locations via unspecified vectors.
Do I need to act?
~
1.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.6/10
High
ADJACENT_NETWORK
/ HIGH complexity
Affected Products (7)
Symantec Embedded Security Critical System Protection
Symantec Critical System Protection
Symantec Data Center Security Server And Agents
Symantec Embedded Security Critical System Protection For Controllers And Devices
Affected Vendors
References (4)
Third Party Advisory
http://www.securityfocus.com/bid/90885
Third Party Advisory
http://www.securityfocus.com/bid/90885
38
/ 100
moderate-risk
Severity
20/34 · Moderate
Exploitability
4/34 · Minimal
Exposure
14/34 · Moderate