CVE-2019-12753 - OpenCVE

An information disclosure vulnerability in Symantec Reporter web UI 10.3 prior to 10.3.2.5 allows a malicious authenticated administrator user to obtain passwords for external SMTP, FTP, FTPS, LDAP, and Cloud Log Download servers that they might not otherwise be authorized to access. The malicious administrator user can also obtain the passwords of other Reporter web UI users.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Symantec	Reporter

Configuration 1 [-]

cpe:2.3:a:symantec:reporter:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support.symantec.com/us/en/article.SYMSA1489.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: symantec

Published: 2019-08-29T22:40:19

Updated: 2024-08-04T23:32:54.989Z

Reserved: 2019-06-06T00:00:00

Link: CVE-2019-12753

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-08-30T09:15:18.007

Modified: 2021-07-21T11:39:23.747

Link: CVE-2019-12753

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Symantec Reporter", "vendor": "Symantec Corporation", "versions": [{"status": "affected", "version": "Reporter 10.3 prior to 10.3.2.5"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability in Symantec Reporter web UI 10.3 prior to 10.3.2.5 allows a malicious authenticated administrator user to obtain passwords for external SMTP, FTP, FTPS, LDAP, and Cloud Log Download servers that they might not otherwise be authorized to access. The malicious administrator user can also obtain the passwords of other Reporter web UI users."}], "problemTypes": [{"descriptions": [{"description": "Information disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-29T22:40:19", "orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://support.symantec.com/us/en/article.SYMSA1489.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@symantec.com", "ID": "CVE-2019-12753", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Symantec Reporter", "version": {"version_data": [{"version_value": "Reporter 10.3 prior to 10.3.2.5"}]}}]}, "vendor_name": "Symantec Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An information disclosure vulnerability in Symantec Reporter web UI 10.3 prior to 10.3.2.5 allows a malicious authenticated administrator user to obtain passwords for external SMTP, FTP, FTPS, LDAP, and Cloud Log Download servers that they might not otherwise be authorized to access. The malicious administrator user can also obtain the passwords of other Reporter web UI users."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information disclosure"}]}]}, "references": {"reference_data": [{"name": "https://support.symantec.com/us/en/article.SYMSA1489.html", "refsource": "CONFIRM", "url": "https://support.symantec.com/us/en/article.SYMSA1489.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:32:54.989Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.symantec.com/us/en/article.SYMSA1489.html"}]}]}, "cveMetadata": {"assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "assignerShortName": "symantec", "cveId": "CVE-2019-12753", "datePublished": "2019-08-29T22:40:19", "dateReserved": "2019-06-06T00:00:00", "dateUpdated": "2024-08-04T23:32:54.989Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:symantec:reporter:*:*:*:*:*:*:*:*", "matchCriteriaId": "81B9CBE6-70CF-482E-8871-414C62144FAA", "versionEndExcluding": "10.3.2.5", "versionStartIncluding": "10.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability in Symantec Reporter web UI 10.3 prior to 10.3.2.5 allows a malicious authenticated administrator user to obtain passwords for external SMTP, FTP, FTPS, LDAP, and Cloud Log Download servers that they might not otherwise be authorized to access. The malicious administrator user can also obtain the passwords of other Reporter web UI users."}, {"lang": "es", "value": "Una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en Symantec Reporter web UI versiones 10.3 anteriores a 10.3.2.5, permite a un usuario administrador autenticado malicioso obtener contrase\u00f1as por servidores externos SMTP, FTP, FTPS, LDAP y Cloud Log Download a los que no estar\u00edan autorizados para acceder de otro modo. El usuario administrador malicioso tambi\u00e9n puede obtener las contrase\u00f1as de otros usuarios de Reporter web UI."}], "id": "CVE-2019-12753", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-30T09:15:18.007", "references": [{"source": "secure@symantec.com", "tags": ["Vendor Advisory"], "url": "https://support.symantec.com/us/en/article.SYMSA1489.html"}], "sourceIdentifier": "secure@symantec.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}