-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3252
   Symantec SYMSA1489 - Information Disclosure Vulnerability in Reporter
                              28 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Symantec Reporter
Publisher:         Symantec
Operating System:  Network Appliance
                   Virtualisation
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12753  

Original Bulletin: 
   http://support.symantec.com/us/en/article.SYMSA1489.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Information Disclosure Vulnerability in Reporter

SYMSA1489
Last Updated August 27, 2019
Initial Publication Date August 09, 2019

  o Status: Open
  o Severity: Critical
  o CVSS Base Score: 4.9

Summary

Affected Products


+---------------------------------------------------------+
|                        Reporter                         |
+--------------+--------------------+---------------------+
|     CVE      |Supported Version(s)|Remediation          |
+--------------+--------------------+---------------------+
|              |10.3                |Upgrade to 10.3.2.5. |
|CVE-2019-12753+--------------------+---------------------+
|              |10.4                |Not vulnerable, fixed|
+--------------+--------------------+---------------------+

Issues


+-----------------------------------------------------------------------------+
|                               CVE-2019-12753                                |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)               |
|  CVSSv3   |                                                                 |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 109829 / NVD: CVE-2019-12753                  |
+-----------+-----------------------------------------------------------------+
|  Impact   |Information disclosure                                           |
+-----------+-----------------------------------------------------------------+
|           |An information disclosure vulnerability in the Reporter web UI   |
|           |allows a malicious authenticated administrator user to obtain    |
|Description|passwords for external SMTP, FTP, FTPS, LDAP, and Cloud Log      |
|           |Download servers that they might not otherwise be authorized to  |
|           |access. The malicious administrator user can also obtain the     |
|           |passwords of other Reporter web UI users.                        |
+-----------+-----------------------------------------------------------------+

Mitigation



This vulnerability has security impact only when Reporter is configured with
multiple administrator users. The first authenticated administrator can
configure the external server passwords on Reporter. The second, malicious,
authenticated administrator user might not be authorized to access the external
servers but can obtain the passwords through the Reporter web UI.

Acknowledgements

  o CVE-2019-12753: Australian Taxation Office - VMR team

Revisions

2019-08-27: initial public release

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXWYGLmaOgq3Tt24GAQhdyxAAjuQVI+sKHqJbvNb9J+QJ4S0WsSyptZ8t
YWtuubrDhJiksqZ17ahIj6/tBTrokjanePXkpJ9LqPp+CijZvByYNFlwi9jEXPAR
8+7Aipzjjbtz0aG3YD4s1l2NjFpjp+qfeW/n9lxVVVkEtogfdYe9VhXB1y384LHy
Qu/FRS8ZbOZ2khmiwO24hRCvrwPzC79mZWJWEGAG60J2Bww5iRMv72wd4jwjIVbR
1aADgIbkIXr3pcaXtxOyDZ5lUBXET5HX5f/DredleR69wAMKUloYLJ/75mUn/hjA
nEanDozWBrXCJa22Nyhut0/N6hVWsd6un24OX75mN6bK29tyQWzXbBybV+ZnHBFz
/R69WVjfGACdu/g5jtiXkDUGBT31b7ZsXjdcrCUEOcvrQ4YJX7YAUkpmh6Srfjh4
86jtuafHGKrf0qmnqdICy4etbwtqfvrDNx9J6hFHbWpkzs5IWkZ6qB/vyhUU15Nm
Xxqe/M+d/I33RlEacanN1cd0fimbmkIpAjDB16fd9B5SgX/iifYvyqM87gyxyKyg
pHgKYbFJmH+oS9jllExnl6s+iWRvWcgw9euFYGS7/B8ZpZvKM0io4NMda/Ghe4V6
EqpL39nE3GNXhUctGZHT/9IB8u8/iwrDXUSFR+C7LoPR929y73WFKvxL/yYPXrlT
dokLraot3Ns=
=jGh6
-----END PGP SIGNATURE-----