CVE-2014-7285

Published: Dec 17, 2014Modified: May 6, 2026

6.5

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability: 8.0 / Impact: 6.4

Source: NVD

Description

The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Affected (1)

Products: Symantec: Web Gateway

Symantec

1 product

Web Gateway

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Symantec Web Gateway	Up to 5.2.1

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (14)

http://karmainsecurity.com/KIS-2014-19

Source: secure@symantec.com

http://osvdb.org/show/osvdb/116009

Source: secure@symantec.com

http://packetstormsecurity.com/files/130612/Symantec-Web-Gateway-5-restore.php-Command-Injection.html

Source: secure@symantec.com

http://www.exploit-db.com/exploits/36263

Source: secure@symantec.com

http://www.securityfocus.com/bid/71620

Source: secure@symantec.com

http://www.securitytracker.com/id/1031386

Source: secure@symantec.com

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00

Source: secure@symantec.com

Vendor Advisory

http://karmainsecurity.com/KIS-2014-19