Vulnerability Details : CVE-2001-1125
Symantec LiveUpdate before 1.6 does not use cryptography to ensure the integrity of download files, which allows remote attackers to execute arbitrary code via DNS spoofing of the update.symantec.com site.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2001-1125
Probability of exploitation activity in the next 30 days: 1.73%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 87 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2001-1125
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2001-1125
-
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Assigned by: nvd@nist.gov (Primary)
References for CVE-2001-1125
-
http://www.securityfocus.com/archive/1/218717
Broken Link;Patch;Third Party Advisory;VDB Entry;Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/7235
Symantec LiveUpdate host verification failure could allow malicious LiveUpdate download CVE-2001-1126 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.sarc.com/avcenter/security/Content/2001.10.05.html
Broken Link
-
http://www.securityfocus.com/bid/3403
Broken Link;Patch;Third Party Advisory;VDB Entry;Vendor Advisory
Products affected by CVE-2001-1125
- cpe:2.3:a:symantec:liveupdate:*:*:*:*:*:*:*:*