Symantec Endpoint Protection Manager and client v12.1
SEPM provides a centrally managed solution. It handles security policy
enforcement, host integrity checking (Symantec Network Access Control only),
and automated remediation over all clients. The policies functionality is
the heart of the Symantec software. Clients connect to the server to get the
latest policies, security settings, and software updates.
Multiple Cross Site Scripting (XSS)
Cross Site Request Forgeries (CSRF)
CVE-2016-3652 / XSS
CVE-2016-3653 / CSRF
CVE-2016-5304 / Open Redirect
The management console for SEPM contains a number of security
vulnerabilities that could be used by a lower-privileged user or by
an unauthorized user to elevate privilege or gain access to unauthorized
information on the management server. Exploitation attempts of
these vulnerabilities requires access to the SEP Management console.
In this case XSS can bypass the "http-only" cookie protection because the
SEPM application writes and stores the session ID within various
exposing them directly to the XSS attack.
So all we need to do is alert(createModalDialogFromURL) anyone one of them
(functions) an it will leak the session ID essentially throwing the
HttpOnly secure cookie protection flag into the garbage.
XSS POC Defeat http-only flag and access PHPSESSID: