Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-3437XML External Entity (XXE) Injection in Endpoint Protection Manager

4 documents4 sources
Severity
7.5HIGHNVD
EPSS
22.3%
top 4.18%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Symantec Endpoint Protection Manager
Timeline
PublishedNov 7
Latest updateMay 14

Description

The management console in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU5 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-3qg9-856j-f4jv: The management console in Symantec Endpoint Protection Manager (SEPM) 122022-05-14
CVEList
CVE-2014-3437: The management console in Symantec Endpoint Protection Manager (SEPM) 122014-11-07

💥Exploits & PoCs

1
Exploit-DB
Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities2014-11-06
CVE-2014-3437 — XML External Entity (XXE) Injection | cvebase