Multiple vulnerabilities have been reported in Symantec IM Manager, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks, according to Secunia.
1. Input passed to the “refreshRateSetting” parameter in IMManager/Admin/IMAdminSystemDashboard.asp, “nav” and “menuitem” parameters in IMManager/Admin/IMAdminTOC_simple.asp, and “action” parameter in IMManager/Admin/IMAdminEdituser.asp is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. An input validation error exists within the Administrator Console. No further information is currently available.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
The vulnerabilities are reported in version 8.4.17 and prior.
Solution: Update to version 8.4.18.