Symantec IM Manager Code Injection Vulnerability.
IM Manager versions prior to 8.4.18 are affected.
Symantec IM Manager is prone to a vulnerability that will let attackers run arbitrary code.
Symantec was notified of Cross-Site Scripting and Code injection/execution issues present in the Symantec IM Manager management console. The management console fails to properly filter/validate external inputs. Successful exploitation of SQL Injection or Remote Code execution might possibly lead to compromise of database or applicationAdditionally, successful exploitation of Cross-Site Scripting could possibly lead to unauthorized access to users' session cookies or to unauthorized network information. In normal installations, the management console is not reachable from outside the network. Hence an authorized but unprivileged network user is required to exploit these issues or to be enticed to visit a malicious link.
Symantec IM Manager is prone to a vulnerability that will let attackers run arbitrary code. Remote attackers can exploit this issue to run arbitrary code in the context of the affected application.
Symantec recommends all customers upgrade to Symantec IM Manager - 8.4.18, available through the FileConnect-Electronic Software Distribution web site.